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Abstract. We show how to extract existential witnesses from classical proofs using Kriv- 
ine's classical realizability — where classical proofs are interpreted as A-terms with the 
call/cc control operator. We first recall the basic framework of classical realizability (in 
classical second-order arithmetic) and show how to extend it with primitive numerals for 
faster computations. Then we show how to perform witness extraction in this framework, 
by discussing several techniques depending on the shape of the existential formula. In 
particular, we show that in the Ei-case, Krivine's witness extraction method reduces to 
Friedman's through a well-suited negative translation to intuitionistic second-order arith- 
metic. Finally we discuss the advantages of using call/cc rather than a negative translation, 
especially from the point of view of an implementation. 



1. Introduction 

Extracting an existential witness (i.e. an object t such that A{t)) from a proof of the formula 
3x A{x) is now a well-understood technique in intuitionistic logic. The simplest way to do 
it is to normalize the proof and retrieve the witness from the premise of its normal form. 
Through the Brouwer-Heyting-Kolmogorov interpretation, one can also read the proof as a 
functional program that reduces to a pair whose first component is the desired witness. Such 
techniques are implemented in proof-assistants based on intuitionistic systems [29[ I20| [27] . 

Extracting a witness from a classical proof of an existential formula is much more 
difficult, since classical logic is known not to enjoy the witness property. Such an extraction 
is actually not always feasible: for instance, we cannot expect to extract a witness from the 
obvious classical proof of the formula 

3x((x = lAC)V(x = 0A^C)) 

in general — think of C being undecidable or, say, Riemann's conjecture. 
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However, several techniques jT2l [131 El El 111] have been proposed in order to extract a 
witness from a classical proof of an existential formula in some particular cases — typically: 
when the formula is (i.e. of the form 3x f{x) = 0). 



1.1. Friedman's method. One of the most popular methods to extract witnesses from 
classical proofs of S^-formulae has been introduced by Friedman [6]. The idea of Friedman 
is to generalize Godel and Kolmogorov's double negation translation by replacing the intu- 
itionistic negation = ^ ± by a relative negation ^rA = A ^ R parameterized by 
an arbitrary formula R. (The only condition on R is that its free variables should not be 
captured in the formula or the proof we want to translate.) In first-order Peano arithmetic 
(PA) for instance, this negative /^-translation A i-^ A~^^ can be defined as follows 

(ei = 62)"" = -'i?-'R(ei = 62) h^y^ = ^rA^^ 

{A A = A^^ A B^^ (Vx Ay^ = Vx A^^ 

{A V By- = --r{^rA-- a -rS--) (3x Ay- = ^Rix^RA-- 

and it is easy to check that if a formula A is provable in Peano arithmetic, then the for- 
mula A— is provable in Heyting Arithmetic (HA), independently from the choice of the 
formula R. 

If we apply this translation to a classical proof p of the formula 3x/(x) = (i.e. a 
E^-formula) , then we get an intuitionistic proof p* of the formula 

^R^X^R-^R^Rf{x) = 0. 

By simplifying the triple (relative) negation and by unfolding the relative negation ^rA = 
A ^ R, we thus get an intuitionistic proof p*' of the formula 

Vx(/(x) = 0^ R) =^ R. 

(The proof p*' we get is parametric w.r.t. the formula R.) 

Now, let us introduce Friedman's trick, which is to instantiate the parameter R with 
the formula we want to prove, letting R = 3y f{y) = 0. Thus p*' is an intuitionistic proof 
of the implication 

Vx(/(x) = ^ 3y/(y) = 0) ^ 3yf{y) = 0. 

whose left member is the introduction rule of existential quantification. Combining the 
modus ponens with the introduction rule of existential quantification, we finally get an 
intuitionistic proof p = {p*') (3-intro) of the formula 

3y/(y) = 

from which we can perform the standard extraction techniques. 

The transformation above actually shows that classical arithmetic is conservative over 
intuitionistic arithmetic on the class of S^-formute. Since the transformation even works 
when the inner formula depends on free variables, it is easy to generalize the latter result 
to a result of conservativity on the class of Hg-formulae: 



2" 

hpA \/x3yf{x,y) = 



(V-elim, xo fresh) 



hpA 3y f{xQ, y) = 

(Friedman's transformation) 

|-HA 3w f(xn,y) = 

^ ^'^^ (V-intro) 



Kha yx3yf{x,y) = 
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This conservativity result has been extended by Friedman (using the same technique) 
to much stronger pairs of classical and intuitionistic theories, such as PA2/HA2, . . . , 
FAu/RAuj, Z/IZ, ZF/IZFc 

1.2. Krivine's classical realizability. Up to the 90's, the computational contents of clas- 
sical proofs was only studied indirectly, via clever translations to intuitionistic logic [51 [121 E] 
or to linear logic. The situation quickly changed with the discovery of a strong connection 
between classical reasoning principles (such as Peirce's law) and control operators (such as 
call/cc) [9]. This led to the rise of many extensions of the A-calculus with control primitives, 
such as Krivine's Ac-calculus [l9], Parigot's A^-calculus [26], Barbanera and Berardi's (non 
deterministic) symmetric A-calculus [T] or Curien and Herbelin's AA/i/i-calculus [5]. (This 
list is far from being exhaustive.) 

Among these different proposals to extend the proofs-as-programs paradigm to classical 
logic, Krivine's theory of classical realizability |16^ [T9] enjoys a particular position. First, 
it is based on realizability rather than on typing, which makes it naturally more flexible 
and more powerful than systems that are simply based on typing. Second, the simplicity 
on the underlying calculus of realizers (the A-calculus extended with the call/cc control 
primitive) and of its evaluation policy (weak head normalization) hides its main feature, 
which is its ability to incorporate new instructions in order to realize new formulas, such 
as (for instance) several forms of the axiom of choice [17j . Although classical realizability 
is traditionally presented in second-order classical arithmetic, it can be extended to much 
more expressive logical frameworks such as Zermelo-Fraenkel set theory [16] or the calculus 
of constructions with universes ^21j . 

Less known is the fact that Krivine's framework allows to perform classical witness 
extraction directly (especially from realizers of S^-formute), without going through a neg- 
ative translation such as Friedman's. The purpose of this paper is twofold. First, it aims at 
presenting some methods that naturally come with classical realizability in order to extract 
witnesses from classical proofs of existential formulas — especially S^'-formulse. Second, it 
aims to relate the extraction method for S^-formulas with Friedman's, by showing that 
through a well-chosen negative translation (inspired from [25j), both methods are basically 
the same (up to the details of the translation). 

One of the difficulties of tracking arithmetic reasoning through a negative translation 
is that some parts of the proof carry over logical invariants whereas other parts are only 
devoted to arithmetic computations. To solve this problem, we shall introduce primitive 
numerals in the language of realizers, while showing that they (essentially) realize the same 
formulae as Church numerals. As a side effect, replacing Church numerals with primitive 
numerals also makes the corresponding extraction technique much more realistic — and we 
believe, much more efficient — in the perspective of a practical implementation. 

1.3. Outline of the paper. In section [21 we present a type system for classical second- 
order arithmetic (PA2) based on the A-calculus extended with the primitive call/cc. This 
type system is given its semantics in section [3l by defining a family of classical realizability 
models (following [19]). In section [H we extend the calculus of realizers and the type system 
for PA2 with primitive numerals to make arithmetic computations more efficient (in proof- 
terms) and more easily tractable through the negative translation. The classical witness 
extraction methods are presented in section [5] and we illustrate them with an example 



4 



ALEXANDRE MIQUEL 



based on the minimum principle in section [6l In section [71 we define a more traditional 
type system for intuitionistic second-order arithmetic (HA2), which we relate to the type 
system for PA2 by defining in section [8] a negative translation in the spirit of [25] . 



2. Classical second-order arithmetic (PA2) 



2.1. The language of second-order arithmetic. The language of PA2 (Fig. [T] p. [5]) is 

made of two kinds of syntactic expressions: arithmetic expressions (a.k.a. first-order term^ 
that represent individuals, and formula that represent mathematical propositions. 

Arithmetic expressions (notation: e, e', ei, etc.) are built from an infinite set of first- 
order variables (notation: x, y, z, etc.) using function symbols (notation: /, h, etc.) 
defined in a given first-order signature. Here, we assume that the signature contains a 
constant symbol '0' for zero, a unary function symbol 's' for the successor function, and 
more generally, a function symbol / of arity k for every primitive recursive definition of 
a function with k arguments. In the sequel, we shall use binary function symbols 
(addition) and 'x' (multiplication) as well as unary function symbols 'pred' (predecessor) 
and 'neg' (boolean negation) with the following definitions: 

Q+y = y Oxy=0 
s{x)+y = s{x + y) s{x) x y = {x x y) + y 

pred(O) = neg(O) = 1 

pred(s(a;)) = x neg(s(2;)) = 

(writing 1 = s(0), 2 = s(l), 3 = s{2), etc.) The set of all free variables of an arithmetic 
expression e is written FV{e). The notion of (first-order) substitution in an arithmetic 
expression is defined as usual and written e{x := e'}. 

Formula of the language of second-order arithmetic (notation: A, B, C, etc.) are 
formed from second-order variables (notation: X, Y, Z, etc.) of all arities using implication 
and first- and second-order universal quantification (Fig. [l]). We slightly deviate from the 
traditional presentation of the syntax of the language [71 [H] by explicitly introducing a 
unary predicate symbol 'null' expressing that its argument yields zero. The main reason 
for introducing this symbol is that it facilitates the construction of a simple proof-term for 
Peano's 4th axiom within the type system presented in section 12.31 

The set of all free (first- and second-order) variables of a formula A is written FV{A). 
The notions of first- and second-order substitution in a formula are defined as usual, and 
written A{x := e} and A{X{xi, . . . , xj^) := B} respectively. (See [71 [H] for a more detailed 
presentation of the two forms of substitutions.) 



2.1.1. Second-order encodings. Propositional units (T and _L), negation, conjunction, dis- 
junction, first- and second-order existential quantification as well as Leibniz equality are 
represented using the second-order encodings given in Fig. [1] Here, we define the propo- 
sitional constant T as a shorthand for the formula null(O), which is consistent with the 
type system of section 12.31 and the realizability interpretation of section [3l Intuitively, the 
formula T is the type of all proof-terms, and it is important not to confuse it with the 
(true) formula 1 = VZ (Z Z) that has much less proof-terms. 

-'^We shall prefer the terminology of 'arithmetic expression' to the more standard terminology of 'first-order 
term' to prevent a confusion with the proof-terms we shall introduce in section \2l3\ 
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The language of PA2 

Arithmetic expr. e ::= x \ f{ei,...,ek) 
Formulae A,B ::= null(e) | X{ei,...,ek) 

I A^B I yxA I yxA 

Proof-terms t,u ::= x \ Xx.t \ tu \ cc 

Contexts T ::= | r,x : A 

The congruences e = e' and A = A' 



O + y ^ y pred(O) ^ neg(O) ^ 1 

s(a;) + y = s{x + y) pTed{s{x)) = x neg{s{x)) = 

nun(s(x)) ^ ± 
Abbreviations 

T = nuU(O) 

± = yzz 

^A = A^ ± 

AaB = VZ{{A^ B ^ Z) ^ Z) 

Ay B = yz {{A ^ Z) ^ {B ^ Z) ^ Z) 

3x A{x) = yZ (Vx {A{x) ^ Z)^ Z) 
3XA{X) = \iZ {\iX{A{X) ^ Z) ^ Z) 

e = e' = VZ(Z(e) ^ Z(e')) 

nat(e) = yZ{Z{Q)^^y{Z{y)^Z{s{y)))^Z{x)) 
Typing rules of PA2 

{x:A)& — — FV(t)Cdom(r) 



(etc.) 



r hNK : ^ r hNK i : T 

r hNK t : ^ 



r l-NK (s:: {{A^ B)^ A)^ A T I-nk t : A' 

V,x:A l-NK t: B V I-nk t : A ^ B V I-nk u : A 



V l-NK Xx.t: A^B r l-NK tu : B 

V l-NK t: A ^ , ^ V l-NK t:\/xA 



Vh^^t-.^xA " r l-NK i : ^{x := e} 

r l-NK t: A V l-NK t : "iXA 



rhNK«:VX^ ^ T^^Kt: A{X{xi,...,Xk):=B} 

Figure 1: Classical second-order arithmetic (PA2) 
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2.2. The congruences e = e' and A = A' . We introduce two congruences e = e' and 
A = A' over arithmetic expressions and formulae that wih be used to incorporate the 
definitional equalities of the function symbols of the signature in the conversion rule of the 
type system we shall introduce in section 12.31 The same mechanism will be used to build 
proof-terms for Peano's 3rd and 4th axioms. 

The congruence e = e' over arithmetic expressions is simply defined as the congruence 
generated by the defining equations of the primitive recursive function symbols of the signa- 
ture. (We already gave the equations associated with the function symbols '-|-', 'x', 'pred' 
and 'neg' in section [2Tl ) Of course, these equations can be oriented in such a way that they 
form a confluent and terminating system of rewrite rules, so that the congruence e = e' is 
decidable. But we shall not need such a level of detail in the sequel. 

The congruence A = A' over formula is defined by adding the equation null(s(x)) = _L 
to the system of equations defining the congruence e = e' . Again, this new equation can 
be oriented from left to right so that the resulting system of rewrite rules (including the 
rewrite rules for function symbols) is confluent and terminating, and the congruence A = A' 
is thus decidable. 



2.3. A type system for classical second-order arithmetic. The type/proof system of 
PA2 closely follows the spirit of Second-order functional arithmetic (FA2) [14]. As in FA2, 
first- and second-order universal quantifications are treated uniformly, by using Curry-style 
proof-terms that do not keep track of introduction and elimination of universal quantifiers 
As usual in such a framework, numeric quantifications require a special treatment we shall 
recall in Section [2.41 

Formally, the type system of PA2 is based on a typing judgment of the form F I-nk t ■ A, 
where F is a typing context, t a (Curry-style) proof-term, and where A is a formula of the 
language of PA2 (section 12. ip . 

Proof-terms of PA2 (notation: t, u, etc.) are just pure A-term^ enriched with a special 
constant ce ('call/cc') to prove Peirce's law. The operational semantics of proof-terms (that 
slightly differs from the traditional operational semantics of pure A-calculus) will be given 
in section [3l 

A typing context (notation: F, F', Fi, etc.) is a finite unordered list of declarations of 
the form T = xi : Ai, . . . ,Xn '■ An where xi, . . . ,Xn are pairwise distinct proof- variables and 
where Ai, . . . ,A n are arbitrary formulae. Given a typing context F = xi : Ai, . . . , x^ ■ A^, 
we write dom(F) = {xi; . . . ; x„} and FV{T) = FV{Ai) U • • • U FV{An). 

The inference rules for the judgment F Hnk t : A are given in Fig. [T] These rules contain 
the standard typing rules of AF2 [T4] (that correspond to the deduction rules of intuitionistic 
natural deduction in second-order predicate logic), plus a typing rule for the constant cc 
(Peirce's axiom) to recover classical logic. These rules also contain a conversion rule as well 
an introduction rule for the propositional constant T. (These rules are specifically needed 
to build proof-terms for the axioms of arithmetic.) In particular: 



^For this reason, a (Curry-style) proof-term should not be confused with the proof (i.e. the derivation) it 
comes from, since the latter contains much more information that cannot be reconstructed from the proof- 
term. In such a setting, the proof-term is merely a computational digest of the formal proof, where some 
computationally irrelevant parts of the proof have been already removed. 

■^Proof variables (i.e. variables of the A-calculus) are written x, y, z, etc. in the sequel, but it is important 
not to confuse them with first-order variables (written using the same letters) that occur in arithmetic 
expressions and formulae. 
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• For all arithmetic expressions ei(xi, . . . ,Xk) and 62 (xi, . . . , x^) depending on the variables 
xi, . . . , Xfc such that ei(xi, . . . , Xfc) = e2(xi, . . . , Xfc), we have 

l-NK . z : Vxi • • • Vxfc ei(xi, ...,Xk) = e2(xi, . . . ,Xfc) 

(where = stands for Leibniz equality) . So that Xz . z is a proof-term for all definitional 
equalities attached to the function symbols of the signature. 

• Given an arbitrary proof-term u such that FV{u) C {z}, we have 

|-NK Xz . z : Vx Vy (s(x) = s{y) ^ x = y) 
|-NK Xz . zu : Vx -'(s(x) = 0) 

so that Peano's 3rd and 4th axioms are provable in our type system. (The corresponding 
derivations are given in Fig. O) 



z : s(x) = s(y) I-nk z : s(x) = s{y) 

z : s{x) = s{y) Hnk z : Z(pred(g(x))) Z{pred{s{y))) 
z : s(x) = s{y) Hnk z : VZ (Z(pred(s(x))) =^ Z{pied{s{y)))) 
z : s(x) = s{y) I-nk z : x = y 
l-NK Xz.z : s{x) = s{y) =^ x = y 
I-NK Xz.z -.My (g(x) = s{y) =^ x = y) 
l-NK Xz.z :\/xyy (s(x) = s(7/) ^ x = y) 

z : s(x) = l-NK z : s{x) = 
z : s(x) = l-NK z : null(neg(s(x))) null(neg(0)) 

z : s(x) = l-NK -z : T =^ _L z : s(x) = Hnk u : T 

z : s(x) = I-nk zu : _L 
l~NK Az . zit : s(x) = =^ _L 
|-NK Az . z-u : Vx (s(x) = =^ _L) 



Figure 2: Derivations for Peano's 3rd and 4th axioms 

2.4. Induction. It is well known [71 1141 ^19] that the induction principle 

VZ (Z(0) ^ Vy {Z{y) ^ Z(s(y))) ^ Vx Z{x)) 

cannot be given a (closed) proof-term in the type system we presented above. The reason is 
that first-order quantification is interpreted uniformly (i.e. as an infinitary intersection type) 
in our setting, whereas universal quantification over natural numbers cannot be interpreted 
uniformly, for that most proofs of A{n) computationally depend on the natural number n. 
To circumvent this difficulty, we use a well-known trick of second-order logic which is to 
relativize first-order quantifications using the predicate 

nat(x) = VZ (Z(0) ^ Vy(Z(y) ^ Z{s{y))) Z(x)) 
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expressing that x belongs to the smallest set of individuals containing zero and stable under 
the successor function. With this notation, the relativized form of the induction principle 

VZ (Z(0) ^ Vy (nat(y) ^ Z{y) =^ Z(s{y))) Vx (nat(x) Z{x))) 

can be given a closed proof-term in our setting. (See [14] for instance.) 

More generally, we associate to every formula A a formula A'^^^ that is obtained by rela- 
tivizing all the first-order quantifications with the predicate nat. Formally, the formula A^^^ 
is defined by induction of A with the equations: 

(null(e))"^* = null(e) 
(X(ei,...,efe)rt = X(ei,...,efe) 

(Vx A)'"^* = Vx (nat(3;) ^ A''""^) 
(VXA)^^t = \/X{A''^^) 

We then easily check that 

Proposition 2.1. // a closed formula A is provable in classical second-order arithmetic 
(with the unrelativized induction principle), then the formula A^^'^ has a closed proof-term 
in the type system defined in Fig. [I]. 



3. Classical realizability 

We shall now present the classical realizability interpretation of the type system presented 
in section 12.31 following the method introduced by Krivine [19] . 

First, we shall introduce a calculus of realizers (Krivine's language Ac) containing the 
proof-terms of Fig. [U and give its evaluation rules, that constitute the small-step operational 
semantics of the language. From this, we shall see how to interpret every formula A of PA2 as 
a set of realizers |^|, reading the formula A as a specification of the computational behavior 
of the realizers of A. The connection between the classical realizability interpretation and 
big-step operational semantics in Ac should become clear in sections [4] and [5l 

3.1. A calculus of realizers. Krivine's language Ac |19] is a strict extension of the calculus 
of proof-terms of PA2 (section 12. 3p . The language Ac actually distinguishes three kinds of 
syntactic entities: terms, stacks and processes. 

Terms t,u ::= x \ Xx .t \ tu \ k. \ (k € /C) 

Stacks vr ::= o I t • vr {t closed) 

Processes p,q ::= t-kir (t closed) 

Terms of Ac are pure A-terms enriched with two kinds of constants: 

• instructions k G /C, where /C is a fixed set of constants that contains (at least) an instruc- 
tion written az (call/cc); 

• continuation constants kj^, one for every stack tt. 

Stacks are finite lists of closed terms terminated by the stack constant oQ Note that unlike 
terms (that may be open or closed), stacks only contain closed terms and are thus closed 
objects — so that the continuation constant k^r associated to every stack vr is actually a 



Krivine allows the formation of stacks using many stack constants (representing as many empty stacks), 
but we will not need more than one stack constant here. 
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constant. (The details of the mutual definition of terms and stacks are given in |19].) 
Finally, a process is simply a pair formed by a closed term t and a stack vr. The set of closed 
terms (resp. the set of stacks) is written Ac (resp. 11), and the set of processes is written 

Ac*n. 

In section U] we shall extend the calculus with extra instructions to perform fast arith- 
metic computations. (See also Remark 13.11 ) 



3.1.1. Evaluation. The set of processes is equipped with a binary relation of one step 
evaluation written p y p', whose reflexive-transitive closure is written p y* p' as usual. We 
assume that this relation satisfles (at least) the following axioms: 

(Grab) Xx.t-ku-TT >- t{x := u} * tt 

(Push) tu * tt >- t * u ■ tt 

(Call/cc) cc-kt-TT >- t*k^-7r 

(Resume) * t • vr' >- t * vr 

for all li € Ac and vr, vr' € IT. Note that only processes are subject to evaluation: there is 
no notion of reduction for either terms or stacks in Ac- 

This list of axioms — that basically implements weak head /3-reduction in presence of the 
control operator call/cc — can be extended with extra axioms to describe the computational 
behavior of the other instructions k € /C. 

Remark 3.1. Formally, the deflnition of the language Ac thus depends on two parameters: 
the set /C of instructions (containing at least the instruction cc), and the relation of evalu- 
ation >- that fulflls the four axioms given above. In particular, the rules (Grab), (Push), 
(Call/cc) and (Resume) are only conditions on the relation but they do not consti- 
tute a defi (by cases) of this relation. (The reader is invited to check that these conditions 
are actually the minimal conditions for proving Prop. 13.101 ) Putting conditions on the 
set fC and on the relation of evaluation — rather than defining them completely — naturally 
makes the calculus modular, since this design allows us to enrich the calculus with extra 
instructions (by putting extra conditions on /C) and extra evaluation rules (by putting extra 
conditions on ;^), while keeping all the results that have been proved using a smaller set 
of conditions on }C and Technically, this open design has only one drawback, which is 
that it forbids any form of reasoning by 'case analysis' on an instruction or on an evaluation 
step — since the contents of fC and the definition of >- are not (completely) known. Again, 
the reader is invited to check that this form of reasoning is never used in the results pre- 
sented in Sections [3l [H and [5] — with the sole exception of Lemma 15.51 in section 15.31 The 
set of available instructions and evaluation rules will only be closed in section [8l in order to 
define the negative translation and to study its properties. 



^This is the point of view that is taken in [151 IT71 IT^ ITS] . 
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3.2. The realizability interpretation. 

3.2.1. The notion of a pole. The construction of the classical realizability model is pa- 
rameterized by a set of processes X C Ac * 11, which we called the pole of the model. We 
assume that this set is closed under anti-evaluation (or saturated according to the termi- 
nology of [19]). Formally: 

Definition 3.2. A pole is any set of processes X C Ac * 11 such that the conditions p y p' 
and p' € A. together imply p G X for all p,p' € Ac * H. 

Remark 3.3. Since the definition of a pole explicitly depends on the relation of evalua- 
tion y , all the conditions we put on the relation of evaluation (see Remark 13. ip are me- 
chanically reflected in the definition of the notion of a pole. For instance, the rule (Push) 
is reflected in all poles X by the fact that t-ku- n G X implies tu-kn G X (for all terms t, u 
and for all stacks vr). The same holds for the rules (Grab), (Call/cc) and (Resume), as 
well as for the new rules we shall introduce in Section [H Putting more conditions on the 
relation of evaluation thus reduces the number of available poles. 

Note that there are two generic ways to define a pole X from an arbitrary set of 
processes Pq C x IT: 

• The first method is to consider Pq as a set of final (or 'accepting') states, and to take X 
as the closure of Pq by anti-evaluation, that is: X = {^Pq), which is defined by (yPo) = 
{p : 3po ePopy* po}- 

• The second method is to consider Pq as a set of initial ('forbidden') states, and to take X 
as the complement of the closure of Pq by evaluation, that is: X = (Ac * 11) \ {P^y), 
where (-Po>-) = {p ■ ^Po e -Po Po >-* p}- 

In this paper, we shall build particular poles (in Section [5]) only using the first method, but 
interesting uses of the second method can be found in |17j . 

3.2.2. Truth and falsity values. From now on, X denotes a fixed pole. We call a falsity 
value any set of stacks 5" C n. By orthogonality, every falsity value 5 C n induces a truth 
value 5""" C Ac defined as: 

= {t e Ac : G 5 t * ^ G X} . 

3.2.3. Valuations and parametric formulcB. A valuation is a function p whose domain is 
a finite set of (first- and second-order) variables, such that: 

• p{x) G N for every first-order variable x G dom(/)); 

• p{X) is a (total) function from N'^ to *P(n) (i.e. a falsity value function) for every /c-ary 
second-order variable X G dom(/j). 

A parametric expression (resp. a parametric formula) is simply an arithmetic expression e 
(resp. a formula A) equipped with a valuation p, that we write e[p\ (resp. ^[/o]). Parametric 
contexts are defined similarly. A parametric expression (formula, context) is said to be 
closed when every free variable of the underlying expression (formula, context) belongs to 
the domain of the attached valuation. 

For every closed parametric expression e[p] we write Val(e[p]) G N the value of e[p], 
interpreting variables by their images in p while giving to the primitive recursive function 
symbols in e their standard interpretation. 
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We easily check that: 

Lemma 3.4. If e and e' are two arithmetic expressions such that e = e' , then for all 
valuations p closing e and e' we have Val(e[/9]) = Val(e'[/9]). 

Proof. By induction on the derivation of e = e'. □ 



|null(e)[p]|| 



3.2.4. The interpretation function. Every closed parametric formula A[p] is interpreted 
as two sets, namely: a falsity value \\A[p]\\ C n and a truth value \A[p] \ C Ac. Both sets are 
defined by induction on the formula A as follows: 

\\X{ei,...,ek)[p]\\ = p{X){Val{ei[p]),...,Yal{ek[p])) 

{0 if Val(e[p]) = 
[n if Val(e[p]) / 

\\{A^B)[p]\\ = \A[p]\.\\B[p]\\ = {t-^ : te\A[p\\, TT(^\\B[p]\\} 
\\{yxA)[p\\\ = \J\\A[p-x^n]\\ 

nGN 

\\{^XA)[p\\\ = \J \\A[p-x^F\\\ 

F:N'=->-fp(n) 

\A[p\\ = \\A[p]\\^ = {teKc : Vtt G t*^ G X} 

The reader is invited to check that the sets ||^[/o]|[ and \A[p\\ only depend on the values 
given by p to the free variables of j4, so that we can drop the valuation p when A is closed 
and simply write \\A\\ and \A\ for ||j4[/9]|| and 
We easily check that: 

Lemma 3.5. If A and A' are two formulae of PA 2 such that A = A' , then for all valuations p 
closing A and A' we have \\A[p]\\ = \\A'[p\\\. 

Proof. By induction on the derivation oi A ^ A' using Lemma 13.41 together with the fact 
that 

||±||= U S = n=||null(s(e))[p]|| 
sen 

for all closed parametric expressions e[p] (to interpret _L = null(s(e))). □ 

Since the truth value |^[p] | and the falsity value || ^[p] || of the formula A actually depend 
on the pole _IL, we shall sometimes use the notations and ||A[/9]||j_ to indicate this 

dependency explicitly. 

Definition 3.6 (Realizability) . Given a pole _IL, a closed parametric formula A[p] and a 
closed term t, we say that t realizes A[p] and write t IKnk A[p] when t S |^[p]|_L, keeping in 
mind that this notation depends on the choice of the particular pole JL. When t € |^[/o]|x 
for all poles _IL, we say that t universally realizes A[p] and write t III-nk ^[p]- 
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3.2.5. Writing parametric formulee. In what follows, we shall often use the convenient 
shorthand 

F(ei,...,e,,) = {X{ei,...,ek))[X ^ F] 
to denote a parametric formula built from a kaiy predicate variable X that is bound to a 
particular falsity value function F ■.'N^ ^ *P(n) in the attached valuation. (The dot above 
the symbol F is here to recall that F is an object that belongs to the semantics, not to the 
syntax.) By systematically using this notation, we can write parametric formula without 
explicitly mentioning valuations. In the sequel, we shall consider (for instance) that the 
notation 

Vz {F{z) =^ S) 

refers to the parametric formula 

(Vz {X{z) =^ Y))[X ^F,Y ^S] 

where X and Y are arbitrarily chosen fresh variables. Note that the parametric formula 
defined by such a notation is defined up to the names of the variables that are bound in 
the valuation — but it is easy to see that these names have no impact in the interpretation 
of the corresponding parametric formula. 



3.3. The full standard model of PA2 as a degenerate case. In the case where X = 0, 
the classical realizability model defined above collapses to the full standard model of PA2 
(i.e. the model where individuals are interpreted by the elements of N and where second- 
order variables of arity k are interpreted by all the subsets of N'^). To understand this point, 
we first notice that when _IL = 0, the truth value S'^ associated to an arbitrary falsity value 
S" C n can only take two different values: S'^ = Ac when S = 0, and = when S 0. 
Moreover, the realizability interpretation of implication and universal quantification mimics 
the standard truth value interpretation of the corresponding logical construction (in the case 
where JL = 0). Writing ^ for the full standard model of PA2, we thus easily show that: 

Lemma 3.7. If JL = 0, then for every closed formula A of PA 2 we have 

Ac if ^ \= A 



if^^A 



Proof. We more generally show that for all formula A and for all valuations p closing A (in 
the sense defined in section 13. 2p we have 

\A[p]\ = l 



j Ac if ^ ^ A[p] 
[0 if^^^[p] 

where p is the valuation in ^ (in the usual sense) defined by 

• p{x) = p{x) if X IS cl first-order variable such that x G dom(p); 

• p{X) = {(ni, . . . ,nfc) e N'^ : p{X){ni, . . . ,nfc) = 0} if X is a second-order variable of 
arity k such that X G dom(/3). 

(This characterization is proved by a straightforward induction on A.) □ 
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An interesting consequence of the above lemma is the fohowing: 

Lemma 3.8. // a closed formula A has a universal realizer t III-nk A, then A is true in the 
full standard model of PA 2. 

Proof If t lll-NK A, then t G \A\0. Therefore \A\0 = Ac and ^ \= A. □ 

However, the converse implication is wrong in general, since the formula Vxnat(x) (cf 
Fig. [1]) that expresses the induction principle over individuals is obviously true in but 
has no universal realizer [19\ Theorem 120. Nevertheless, the converse implication becomes 
true when we restrict it to arithmetic formulcB, that is, to the formulae of the following 
language: 

Arithmetic formulae P,Q ::= ei = 62 [ P =^ Q [ Vx (nat(x) P) 

(This is a consequence of a slightly more general result in [191 Theorem 21].) 

Remark 3.9. In the case where X ^ 0, every truth value is inhabited, for instance by 
any term of the form kj^gto where to S JL. An important consequence of this remark is 
that a classical realizer of a formula A (w.r.t. to a nonempty pole) can never be taken as a 
'certificate' that the formula A is true, even when A is an equality. (This remark is crucial 
to understand the specific difficulty of witness extraction in classical realizability.) 

3.4. Adequacy. We call a substitution any finite function from proof- variables to the set Ac 
of closed Ac-terms, and we denote by t[a] the term obtained by applying a substitution a to 
a term t. Given a substitution a and a closed parametric context T[p], we write a IKnk r[p] 
when the following conditions are fulfilled: 

(1) dom(r) C dom(o-); 

(2) (t{x) II-nk A[p] for every declaration (x : A) G T. 
We say that: 

• A judgment F I-nk t : ^ is sound (w.r.t. the pole X) when for all valuations p and for 
all substitutions a such that a IKnk r[/9], we have t[a] IKnk ^[p]- 

• An inference rule (where Pi, . . . ,Pn and C are typing judgments) is sound (w.r.t. 
the pole X) when the soundness of its premises Pi, . . . ,P„ (in the above sense) implies 
the soundness of its conclusion C. 

From these definitions, it is clear that the conclusion of any typing derivation formed with 
only sound inference rules is sound w.r.t. all poles X. 

Proposition 3.10 (Adequacy). The typing rules of PA2 (Fig.{l^ are sound w.r.t. all poles 

X c Ac X n. 

Proof. The soundness of the introduction rule of T is obvious (since [Tj = Ac) and the 
soundness of the conversion rule follows from Lemma 13.51 The soundness of the remaining 
typing rules is proved in [19]. □ 



'This explains the special treatment of the induction principle in section 12.41 
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A consequence of this proposition is that closed proof-terms that are built using the 
type system of PA2 are actually universal realizers of the corresponding formulae. (But not 
all realizers can be detected via typing [H].) 

4. Primitive natural numbers 

Through the formulas-as-types paradigm, the relativized form of first-order universal quan- 
tification Vx (nat(x) A{x)) corresponds to the (dependent) type of all functions mapping 
realizers of the formula nat(n) to realizers of the formula A{n) for every n € N. To get a 
realizer of the formula A(n) (for a particular value of n € N) from a realizer t of the formula 
Vx (nat(x) =^ A{x)), it suffices to apply the term t to the Church numeral Ax/ . /"x using 
the following fact 

Fact 4.1. For every n G N one has: Knk Ax/ . /"x : nat(n). 

combined with the property of adequacy (Prop. I3.10p . 

On the other hand, Church numeral Ax/ . /"x is far from being the only realizer of the 
formula nat(n) — the situation being much more complex than in intuitionistic realizability 
due to the presence of continuations in realizers. However, it is always possible to effectively 
retrieve (in some sense) the natural number n from an arbitrary realizer of the formula 
nat(n), and the traditional way to achieve this in classical realizability is to use a storage 
operator [15\ 119) . We propose here another method by changing the representation of 
numerals. 

Indeed, the main defect of Church numerals is not only their very poor efficiency in prac- 
tical computations (especially for large values) , but also the non atomicity of their encoding 
that makes them very hard to track through a negative translation towards intuitionistic 
logic. For this reason, we present here an alternative implementation of natural numbers 
in classical realizability, based on the introduction of specific constants to represent natural 
numbers with new instructions to compute with them. 

4.1. Extending the language of realizers. We now enrich0 the instruction set JC with 
the following constants: 

• For every n E N, a constant n € /C representing the natural number n as a pure datum. 
Here, the constant n hardly deserves the name of an instruction, since it comes with no 
evaluation rule. The intuition is that the constant n is only meaningful as a datum in 
the stack, not in head position^ 

• Two constants s and rec with the evaluation rules 

(SUCC) S -kn ■ U ■ TT y- U -k n + 1 ■ TT 

(Rec-0) rec ★ • ni • • vr >- uq * vr 

(Rec-S) rec ★ • ni • n -|- 1 • TT >- ui -k n ■ (rec uq uin) ■ tt 

for all u, uo,ui G Ac, n G N and vr G H. 

'''See remark Em p. H 

®This is similar to the situation in most programming languages, where numbers are represented using 
machine numbers (or blocks of machine numbers) that are meaningless as pointers, so that executing them 
usually raises a memory fault. 
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With these new instructions, it is more generally possible to implement every recursive 
function / of arity k as a term / with the reduction rule 

f -kni ■ ■ -rik ■ u ■ IT y* u-kfh-TT, 

for all (ni, . . . , n^) E dom(/), writing m = /(ni, . . . , nfc)0 To improve efficiency, we can 
also introduce the fs (or some of them) as new instructions. 

Apart from the representation of numerals as pure data, every natural number n E N 
can be also represented as a program h defined hy h = Xx . xn. (We will momentarily see 
how to give a 'type' to this program in PA2.) 

4.2. Extending the realizability interpretation. To understand the computational be- 
havior of the instructions that come with our alternative representation of numerals, we 
extend the language of formula of PA2 with a new syntactic construct {e} =^ B where e is 
an arithmetic expression and B a formula. (This extension is part of a larger system PA2"'" 
that will be introduced in section [43l ) Intuitively, this formula corresponds to the type of 
all functions taking the representation of the value of e as the constant n (where n = Val(e)) 
and return an object of type B. 

Formally, the realizability interpretation of the formula of PA2 (section 13. 2p is extended 
to the syntactic construct {e} =^ B hy letting: 

\\i{e} ^ B)[p]\\ = {n-TT : n = Vs.lie[p]), 7re\\B[p]\\}. 

In this extended syntax, we can now give a type to the lazy numeral n = Xx .xnhy letting 
nat'(e) = VZ (({e} ^ Z) ^ Z) and checking that: 

Lemma 4.2. For every n h = Xx.xn \\\-^k nat'(n) 

Proof. Let J_ be a fixed pole, and consider an arbitrary element of falsity value ||nat'(n)|| = 
IIVZ (({n} Z) ^ Z)||, that is: a stack of the form u-tt where u G \{n} =^ S\ and vr G 5 for 
some falsity value S £ ^(H). We have Xx . xn-ku-ir u-kn-ir. But since n-n € \\{n} 
we get n * n • vr € -IL, hence Xx . xn-k u ■ ir & JL hy anti-evaluation. □ 

Moreover: 

Lemma 4.3. Writing y^x A{x) = Vx {{x} ^ ^(2;)), we have: 

(1) s IIHnk V^xnat'(s(a;)) 

(2) rec llhNK VZ (Z(0) ^ V^y {Z{y) Z{s{y))) ^ V^x Z{x)) 
Proof. Let X be a fixed pole. 

(1) Let us consider an arbitrary element of ||V^xnat'(s(a;))||, that is: a stack of the form 
n-u-TT, where n S N, u € |{s(n)} =^ S\ and tt G S" for some falsity value 5 C 11. We want 
to show that s-kn-u-ir € _IL. Using the evaluation rule of s, we get s-kn-u-n >- u-kn + 1-tt. 
But since n -|- 1 • vr E |[{s(n)} S\\, we have ?/*n-|-l-7rG_lL, hence s *n • n • vr G _1L 
by anti-evaluation. 

(2) Let us take a falsity value function F : N ^ *P(n) and consider two realizers uq € |i*'(0)| 
and ui G |V^y (-F(y) =^ F{s{y)))\. We first show by induction on n £ N that for all 
stacks vr € F{n) we have rec ★ • ui • n • vr € X. 



In the case we want to go beyond primitive recursion, it is necessary to use a fixpoint combinator to 
implement minimization. 
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— Base case. Take vr G F{0). We have rec*uo-iii -O-tt >- UQ-kir £ _1L (since uq € F(0) ), 
hence rec * • ui • • vr S _1L by anti-evaluation. 

— Let us assume that the property holds for n G N, and consider a stack vr G F{n + 1). 
We have rec -kuo ■ ui ■ n + 1 ■ tt y ui-kn ■ (rec uq ui n) ■ vr. We now want to show that 
recuQUin G |F(n)|. For that, we take a stack vr' G F{n) and get recuQUin-k n' 
rec -k Uq ■ ui ■ n ■ tt' G JL by induction hypothesis, hence rec uqUiti -k it' G JL by 
anti-evaluation. Thus we have recuQUin G |F(n)|, hence we get 

n • (recuo ni n) • vr G ||{n} ^ F(n) => F(s(n))|| 

C \\y^'y{F{y)^F{s{y)m- 

Therefore ui -kn ■ (rec uq ui n) • vr G JL, and rec^uo • ui • n + 1 • vr G JL by anti-evaluation. 
We have shown that rec^uo • • n • vr G JL for all F : N ^ *P(n) and for all uq G |i^(0)|, 
ui G \y^y{F{y) ^ F{s{y)))\, n G N and tt G F{n). But this precisely means that rec 
realizes the desired formula. □ 



4.3. Extending the type system. To facilitate the construction of universal realizers 
using the new instructions, we define an extension of PA2 ([T|), which we call PA2"'". The 
specific formation rules and typing rules of this system are summarized in Fig. [3l 



Syntactic constructs 



Formulae 

Proof-terms 

Contexts 



nat'(e) 



A,B 
t, u 

r 

Abbre viat ions 

yz{{{e}^z)^ 

Mx {{x} A) 
VZ (Vx ({x} A 



{e}- 
n I 

r, x 



z) 



> B 
s 



rec 



Z)^Z) 



Typing rules 



r hNK rec : VZ (Z(0) ^ V^y {Z{y) ^ Z{s{y))) V^x Z{x)) 

r, X : {e} Hnk t : B 
r hNK s : V^x nat'(s(x)) F Knk \x .t : {e} ^ B 

F hNK t:{e]^B F Knk t : {n} ^ B 

r l-NK tx : B F Hnk tn : B 



Figure 3: Extending PA2 with primitive numerals 



Compared to PA2, the grammar of the formulae of PA2'^ is enriched with the syntactic 
construct {e} =^ B introduced in Section [4.21 (Arithmetic expressions remain unchanged.) 
To reflect the presence of a second form of implication, typing contexts of system PA2"'" 
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introduce a second form of declaration, written x : {e}, that expresses that the proof- 
variable X is bound to the constant n, where n is the value of e (i.e. n = Val(e)). 

Proof-terms of PA2"'" are the proof-terms of PA2 enriched with the constants n (for all 
n S N), s and rec. System PA2"'" provides typing rules for the constants s and rec, as well 
as an introduction rule and two elimination rules for the formula {e} =^ B. Note that in 
this system, we can only apply a proof-term of type {e} =^ B to a variable (declared with 
X : {e}) or to a constant of the form n — in which case we must have e = s"(0). 

4.3.1. The realizability interpretation of PA2^ . The realizability interpretation of PA2''" is 
defined as for PA2, using the interpretation of the formula {e} =^ B described in Section [4. 21 
(Of course, we now work with a set /C of instructions and a relation of evaluation that fulfill 
the conditions given in Section [3] and HI) 

To express the soundness of the new typing rules, we first have to adapt the definition 
of a IKnk r[p] to the extended notion of context. For that, we say that a substitution a 
realizes a closed parametric context T[p] and write a IHnk r[p] when the following conditions 
are fulfilled: 

(1) dom(r) C dom(o-); 

(2) a{x) IhNK A[p] for every declaration {x : A) G F; 

(3) a{x) = n where n = Val(e[p]) for every declaration (x : {e}) G F. 

(This definition obviously coincides with the former definition in the case where the con- 
text F only contains declarations of the form {x : A).) The definition of sound judgments 
and of sound valid rules (w.r.t. a fixed pole) immediately extends to the new system, so 
that we can check the following: 

Proposition 4.4 (Adequacy). The typing rules of PA2^ are sound w.r.t. all poles JL C 
Ac X n. 

Proof. Let _1L be a pole. We only treat the specific rules of PA2+ (Fig. [3|). 

• Typing rules for s and rec: immediately follows from Lemma 14.31 

• Introduction rule of {e} =^ B. Let us assume that F, x : {e} Knk t : B is sound. To show 
that the judgment F Hnk Ax . t : {e} =^ i? is sound too, consider a valuation p with a 
substitution a such that a IHnk ^[p]- We want to prove that {Xx.t)[a] G |({e} ^ -B)[p]|. 
For that, let us consider an arbitrary element of ||({e} =^ i?)[p]||, that is: a stack of the 
form n-TT where n = Val(e[p]) and vr G ||i?[p]||, and let us prove that (Ax . t)[a]-kn-Tr G JL. 
Let a' = {a,x := n). We have a' Ih (F,x : {e})[/7], hence t[a'] G \B[p] \ from the soundness 
of judgment F,x : {e} Knk t ■ B. By evaluating the process {Xx.t)[a] -k n ■ n we get 
(Ax.t)[cr] -k n ■ TT >~ t[(T'\ ★ vr G JL (since t[a'] G |i3[p]|), hence {Xx .t)[(T] ★ n • vr G JL by 
anti-evaluation. 

• Elimination rules of {e} =>- B: both cases are straightforward. □ 

Thanks to this extension, it is easy to check (by means of typing) that the new relativization 
predicate nat'(x) is logically equivalent (in PA2+) to the traditional relativization predicate 
nat(x) defined in section [27il 



Xz . zb (Xy . y s) 
Xz . z (rec (Ax/ . x) {Xjnxf . f {nx f))) 



Vx (nat(x) =^ nat'(x)) 
Vx (nat'(x) =^ nat(x)) 
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(Intuitively, the above terms convert a Church numeral into the corresponding lazy numeral 
and vice- versa.) Moreover, we can check that the formula V^x A(x) defined by the shorthand 

y^xA{x) = Vx {{x} ^ A(x)) (nat-as-data relativization) 

is logically equivalent to the formula 

Vx (nat'(x) A{x)) (nat-as-program relativization) 

by means of the following proof-terms: 

Xfx . f (Xy . yx) : Vx (nat'(x) =^ A{x)) =^ V^x ^(x) 
Xfx.xf : V^xA(x) ^ Vx(nat'(x) ^ A(x)) 

(Intuitively, functions of type V^x A{x) expect a fully computed natural number represented 
as a datum on the top of the stack, whereas functions of type Vx (nat'(x) =^ ^{x)) expect a 
lazy representation of a natural number on the top of the stack, whose corresponding value 
can be computed later.) 

The same remark holds for the two different ways to relativize first-order existential 
quantification using primitive numerals 

yZ (Vx (nat'(x) ^ A{x) ^ Z) ^ Z) 

3^x^(x) = \/Z (Vx ({x} A{x) ^ Z)^ Z) 

that are provably equivalent. 

In what follows, we shall thus only consider the problem of witness extraction from 
universal realizers of existential formulae of the form 3^xA(x), whose witnesses are the 
most directly accessible. 

5. Witness extraction in classical realizability 

In this section, we are interested in the problem of extracting a witness of a closed existential 
formula 3^x A(x) from a fixed universal realizer to of this formula: 

to IIHnk 3^x^(x) = VZ(Vx({x}^^(x)^Z)^Z). 

(As a particular case, to may be a proof term of 3^Xj4(x) in PA2.) 

Throughout this section, we assume that the instruction set K, contains (at least) the 
extra instructions n, s and rec presented in Section [4.11 with their accompanying rules. For 
convenience, we also assume the existence of an instruction stop with no evaluation rule, 
that is intended to abort computation once the desired witness has been found. However, 
the proofs of Prop. 15.11 15.31 and 15.61 do not rely on any particular assumption on stop, so 
that these propositions still hold if we consider that stop denotes a fixed closed Ac-term. 

The witness extraction methods discussed in Sections 15.21 and 15.41 are directly inspired 
from the techniques presented in p9] , while the method presented in Section 15.61 is due to 
the author. 
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5.1. The failure of the naive method. To extract a witness from the universal realizer 
^0 lll~NK a natural idea would be to apply to to the term Xxy .stopx that extracts 

the first component of the 'pair' to and passes it to stop. Applying this idea, we get the 
following: 

Proposition 5.1. For all vr G H, the process to * (Axy .stopx) • vr evaluates (in a finite 
number of steps) to a process of the form stop ★ n • vr for some n G N. 

Proof. Let us take a stack tt G 11 and work in the pole defined by 

JL = {p : 3nGN p >-* stop^n • vr} . 

Writing S = {vr}, we easily check that stop IKnk Vx ({x} =^ 5) (from the definition of JL), so 
that Xxy . stopx II-nk Vx ({x} =^ ^(x) =^ S) (by Prop. I3.10p . Therefore {Xxy . stopx) • vr G 
||3^x A(x)||, and thus to * (Axy . stopx) • tt G JL. □ 

Alas, this result gives us no warranty that the natural number n we get by this method 
is such that A{n) is true (in the full standard model). The mistake here is that we have 
dropped the second component y of the pair to (that cannot be taken as a certificate that 
A{n) holds), and we shall momentarily see that this component is actually the crucial 
ingredient of the extraction process. 



5.2. Extraction in the S^-case. Let us now consider the particular case where the pred- 
icate A{x) is of the form A{x) = f{x) = 0, where / is a unary function symbol of the 
signature corresponding to (and denoted by) a primitive recursive function still written /. 

To understand how to extract a (correct) witness from to in this case, let us first study 
the denotation of equalities in the realizability model: 

Lemma 5.2. Let ei and 62 be closed arithmetic expressions. For all poles _IL we have 




{t-TT : (t*7r)GX} = ||1|| i/Val(ei) = Val(e2) 
A-n = ||T^_L|| i/Val(ei) / Val(e2) 



(writing 1 = VZ (Z =^ Z) ). 

In other words, true equalities are interpreted the same way as the formula 1 = VZ {Z 
Z) whereas false equalities are interpreted the same way as the formula T =^ _L in the 
classical realizability model. If u is a realizer of the formula f{n) = (w.r.t. a particular 
pole X), then we can distinguish two cases: 

• The equality f{n) = is true. In this case, we can think of u (IKnk 1) as a term that 
essentially behaves as the identity term Xz . z: when coming in head position, it simply 
vanishes and gives the control to its argument. 

• The equality /(n) = is false. In this case, we can think of u (IHnk T =^ _L) as a term 
that consumes its argument (whatever it is) and then backtracks to an earlier point in 
the computation. 

Of course, this informal description is only an loose approximation of the actual behavior of 
the realizer u IKnk fin) = (which may considerably vary depending on the choice of X), 
but it gives us the clue to fix the naive extraction method. 

The idea is to apply the universal realizer to III~nk 3^x /(x) = to the term Xxy . y (stop x) 
that inserts a 'breakpoint' y before returning x. If the first component x is a correct witness, 
then the second component y will vanish and let the program return the correct answer. 
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If the first component x is incorrect, then y will issue a backtrack, and this until a correct 
witness has been found. 

We can now formalize this intuition as follows: 

Proposition 5.3. For all tt € 11, the process to * {Xxy . y (stop j;)) • vr evaluates (in a finite 
number of steps) to a process of the form stop -kn ■ ir for some natural number n G N such 
that f{n) = 0. 

Proof. Let us take a stack tt G 11 and work in the pole defined by 

± = {p : 3n eN (/(n) = and p ^* stop*n • vr)} . 

Writing S = {vr}, we easily check that stop IHnk {n} =^ S for all n G N such that /(n) = 
(from the very definition of X and S). Let us now show that the term Xxy .y (stop x) 
realizes the formula \/x {{x} =^ /(x) = 0^5'). For that, consider an arbitrary element of 
the falsity value of this formula, that is: a stack of the form n • n • vr for some n G N and 
u G |/(n) = 0|. We have 

Axy . y (stop x) * n • n • vr >-* n * (stop n) • vr . 

To show that u-k (stopn) • vr G X, we distinguish two cases: 

• /(n) = 0. In this case, we have stopn Ih^K S (using the 'type' we gave to stop), hence 
(stopn) * vr G X and thus (stopn) • vr G ||1|| = ||/(n) = 0|| (by Lemma [52]). Therefore 
u -k (stopn) • vr G X. 

• /("-) / 0- In this case, we have (stopn)-vr G ||T =^ _L|| = ||/(n) = 0||, hence tt^r (stopn) -vr G 
X. 

In both cases we deduce that Xxy . y (stop x) -kn • n • vr G X by anti-evaluation, which finishes 
the proof that Xxy . y (stopx) II-nk Vx ({x} =^ /(x) = =^ S). From the latter we deduce 
that {Xxy . y (stopx)) • vr G ||3^x /(x) = 0||, so that to * (Axy . y (stopx)) • vr G X. □ 

Remark 5.4. The simple (and reliable) extraction procedure presented above returns a 
correct witness without keeping track of the intermediate witnesses proposed by the real- 
izer tQ . A simple way to display them during the computation is to introduce an instruction 
print such that 

pnntkn-u-TT >- u-kn (n G N, n G A, vr G 11) 

while printing the natural number n on some output device (the second part of the spec- 
ification of print being purely informal). From the only evaluation rule of print, we easily 
check that print III-nk Vx ({x} =^1). It is then a straightforward exercise to adapt the 
proof of Prop. 15.31 when the process to -k {Xxy . y {stop x)) ■ vr is replaced by the process 
to * {Xxy . print xy (stopx)) • vr that ultimately does the same job — while printing the inter- 
mediate results. 

In section [8741 we shall reinterpret the witness extraction method of Prop. [53] through 
a well-suited negative translation. 

5.3. Independence of the witness w.r.t. the stack vr. It is easy to see that the witness 
computed by the process tok:{Xxy . y (stopx)) -vr (in the sense of Prop. [5^3]) does not actually 
depend on the stack vr, provided we make the following 'closed world' assumptions: 
(1) The relation of (one step) evaluation >- is defined as the union of the rules (Grab), 

(Push), (Call/cc), (Resume), (Succ), (Rec-0) and (Rec-S) (cf Sections [Oand [4T]l . 

In particular, evaluation is deterministic. 
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(2) The term to contains no continuation constant kyr, that is: to is a proof-like term ac- 
cording to the terminology of |19]. Note that this condition is automatically fulfilled 
when to is a proof-term built in system PA2+. 

(3) The term stop is an extra instruction (with no evaluation rule). 

To prove the desired independence result, we define an operation of stack extension for 
terms, stacks and processes as follow£^. Given a fixed stack ttq, we denote by t{o := vro} 
(resp. 7r{o := vro}, p{o := ttq}) the term t (resp. the stack vr, the process p) in which every 
occurrence of the stack bottom o is replaced by the stack ttq, including inside continuation 
constants. 

Formally, these operations are defined by: 





:= TTo} 


= X 




{Xx.t){o 


:= TTo} 


= Ax . t{o := ttq} 




{tu){o 


:= TTo} 


= t{o := ttq} u{o := 




k{o 


:= TTo} 


= K 




{K){o 


:= TTo} 






o{o 


:= TTo} 


= vro 




{t ■ 7t){0 


:= TTo} 


= t{o := TTo} • vrjo : 


= TTo} 


{t ★ 7r){o 


:= TTo} 


= t{o := TTo} * vrjo 


= vro} 



Note that when t is a proof-like term, we have t{o := vro} = t. From assumption (1) we 
immediately get: 

Lemma 5.5. If p >- p' , then p{o := vro} >~ p'{o := ttq} (for all vro € IIJ. 

Proof. By case analysis on the evaluation rule using (1). 
(The same result holds if we replace >- by y* .) 

Let us now assume that to is a proof-like term (assumption (2)) that is a universal 
realizer of the formula 3^x/(x) = 0. From Prop. 15.31 we know that there is some n G N 
such that f{n) = and 

to * (Axy . y (stopx)) • o >-* stop*n-o. 

But if we apply Lemma 15.51 with an arbitrary stack vr, we thus get 

to * (Axy . y (stopx)) • vr >-* stop^n-vr 

(using the fact that to is a proof-like term, so that to{o := vr} = to). 

Since evaluation is deterministic and since the instruction stop has no evaluation rule, 
the answer produced by Prop. 15.31 with an arbitrary stack vr is unique, and it is the same 
as if we take the stack vr = o. 

5.3.1. Adding other instructions. The property of independence of the witness w.r.t. the 
stack TT crucially depends on the fact that evaluation is deterministic and substitutive w.r.t. 
the stack constant o (in the sense of Lemma [5.5p . However, it is sometimes useful to consider 
instructions whose evaluation rules break Lemma 15.51 (without breaking determinism of 
evaluation). An example of such an instruction is the instruction quote with the evaluation 
rule 

qUOte^t-TT >- t-kUT^-TT, 



For an account of the possible uses of this technique, see [10| . 
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where n^r is the code of the stack vr according to a fixed bijection between natural numbers 
and stacks. (Such an instruction is introduced in [l7j to reahze several forms of the axiom of 
choice.) If to uses such an instruction, then the witness provided by Prop. [5^31 may actually 
depend on the stack vr. 



5.4. Extraction in the decidable case. The witness extraction procedure we presented 
in section[52]for S^-formulae can be generalized to any existential formula B^x A{x) provided 
the predicate A{x) is decidable, using a decision function expressed as a Ac-term. 

Formally, a decision function for the predicate A{x) is a term dA G Ac such that for all 
n £ N, u,v £ Ac and vr € 11 we have 



dA*n ■ u ■ V ■ IT y* 



u-kir if ^ \= A{n) 
v-kTT if ^ ^ A{n) 



(writing ^ the full standard model of PA2). Intuitively, a decision function for the predicate 
A{x) is a closed Ac-term d^ such that for every natural number n G N, the applied term 
dA n acts as a boolean value indicating whether the formula A(n) holds or not in the full 
standard model of PA2. 

Extracting a witness in this case also requires another ingredient to repudiate the wrong 
witnesses proposed by the realizer to- Formally, we call a function of conditional refutation 
of the predicate A{x) any term va £ Ac such that 

rA lll-NK {n} =^ ^A{n) 

for all n € N such that ^ ^ A{n). Intuitively, the purpose of a function of conditional 
refutation rA is to provide a counter-realizer t^^n HHnk ^A{n) that we shall oppose to the 
realizer u IKnk A(n) coming with any wrong witness proposed by the realizer to. Such terms 
rA can be built for a very large class of formula as we shall see in section 15.51 

Using the decision function dA and the function of conditional refutation r^, we now get 
a simple algorithm to perform witness extraction from a universal realizer to III~nk A{x): 

(1) Extract n € N and u IKnk A{n) from the universal realizer to. 

(2) Check whether A{n) is true or not, using the decision function dA- 

• If A{n) is true, then return n (using the 'stop' instruction). 

• If A{n) is false, then execute the realizer r^nu IKnk ^ to backtrack. 

In the language Ac, this procedure is implemented by applying the universal realizer to to 
the Ac-term Xxy . dA x (stop x) {rA x y) that does the expected job: 

Proposition 5.6. Let dA and rA be respectively a decision function and a function of 
conditional refutation for the predicate A{x), and let to he a universal realizer of the formula 
j4(x). Then for all vr € 11, the process 

to * (Axy . dA X (stop x) {rA xy)) • vr 

evaluates (in a finite number of steps) to a process of the form stop*n • vr for some natural 
number n € N such that A{n) is true in the full standard model. 

Proof. Let us take a stack vr € 11 and work in the pole defined by 

_1L = {p : 3nGN (.^ 1= yl(n) and p ^* stop*n • vr)} . 

Writing S = {tt}, we easily check that stop IHnk =^ S for all n G N such that 
^ 1= A{n) (from the very definition of JL and S). Let us now show that the term 
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\xy . dA X (stop x) {rA x y) realizes the formula Vx ({a:;} => A{x) =^ S). For that, consider an 
arbitrary element of the falsity value of this formula, that is: a stack of the form n ■ u ■ ir 
for some G N and u G |^(?^)|• We have 

Xxy .dAX {stop x) {tax y) -kn ■ u • TT y* * ^ • (stop ra) • (r^ n tx) • tt . 

To show that dA*n • (stopn) • (rAnu) • tt G JL, we distinguish two cases: 

• ^ \= A{n). In this case we have 

dA* n ■ (stopn) ■ (rAnu) ■ TT (stopn)*7r >- stop*n-7r G X 

(using the fact that stop II-nk {n} =^ S when ^ \= A{n)), from which we get dA*n ■ 
(stop n) • (vA n n) • TT G JL by anti-evaluation. 

• ^ ^ A{n). In this case we have 

* n • (stopn) • (r^ nu) • TT y* {rAnu)-k'K y* r^^n -tx-Tr G JL 

since n ■ u ■ n G ||{n} A{n) =^ _L|| and G \{n} =^ A{n) =^ _L| from the definition 
that VA is a function of conditional refutation. By anti-evaluation we get: dA*n- (stopn) • 
{rA nu) ■ TT G AL. 

In both cases we deduce that Xxy . dA x (stop x) (r^ x y)-m-u-Tr G JL by anti-evaluation, which 

finishes the proof that Xxy . dA x (stop x) (ta x y) realizes the formula Vx ({x} =^ A{x) =J> S) 
in the pole JL. From the latter, we immediately deduce that {Xxy . dA x (stop x) (ta xy))-Tr G 
||3^x f{x) = 0||, from which we conclude that to * {Xxy . dA x (stopx) {ta x y)) • tt G JL. □ 

5.4.1. The particular case of 'El-formulcE. In the case where the predicate A{x) is of the 
form A{x) = f{x) = for some primitive recursive function symbol /, it is easy to implement 
a decision function dA from a Ac-term that actually computes /. Such a function d that 
tests whether /(n) = for a given argument n G N can even be characterized in terms of 
realizability as follows: 

Lemma 5.7. Let f be a primitive recursive function symbol. For every term d G the 
following assertions are equivalent: 

(1) d decides the predicate A{x) = f{x) = 0; 

(2) d IIHnk VZ V^x (Z(0) ^ Vy Z{s{y)) ^ Z{f{x))) . 

Proof. 1. => 2. Easily follows from the evaluation rules of the term d. 
2. 1. Let n G N, -u,?; G Ac and tt G 11. We distinguish two cases: 

• /(n) = 0. We let JL = {p y* u-kir) and define a function F : N ^ qj(7r) by F(0) = {tt} 
and F{p) = for all p > 0. We easily check that u G |-F(0)|, v G \iyF{s{y))\ and 
TT G ||F(/(n))||, hence d + n- n- u- TrGJL. 

• f{n) / 0. We let JL = {p y* v-kir} and define a function F : N ^ ^{-n) by F(0) = 
and F(p) = {tt} for all p > 0. We again check that u G |-F(0)|, v G \iyF{s{y))\ and 
TT G ||F(/(n))||, hence d-kn ■ u ■ v ■ -k G □ 
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The function of conditional refutation for the predicate A{x) = f{x) = is even easier 
to build: simply take the constant function = \_z . z ? (where ? is any Ac-term possibly 
depending on z), using the fact that I-nk . z ? : f{n) 7^ for all natural numbers n such 
that f{n) 7^ 0. (Note that the term \z .zl does not depend on re.) In this case, the function 
of conditional refutation can be replaced by the conditional refutation Xz . z? that is a 
universal realizer of the formula /(re) 7^ for all natural numbers re such that /(re) 7^ 0. 

Given a term df £ Ac that decides the predicate f{x) = 0, we can thus perform witness 
extraction from a universal realizer to III~nk 3^a;/(x) = using the process: 

tQ -k {Xxy .dfX (stop x) {y ?)) * vr 

(whose second branch has been simplified). Note that this process is slightly more complex 
than the process presented in Prop. 15.31 that does not even need to consider a decision 
function to perform witness extraction from tQ. 

5.5. Existence of functions of conditional refutation. The existence of a function of 
conditional refutation can be shown for a wide class of predicates, and in particular for every 
predicate A{x) that is expressed in the language of first-order arithmetic such as defined in 
the end of section [3^ (replacing Vx (nat(x) =^ P) by V^xP in the corresponding BNF). 
Let us first recall that: 

Proposition 5.8. For every k > 0, there exists a closed proof-term Rk such that for every 
formula of the form 

A ^ 3%V%---3^2/fcV^Zfc fiyi,zi,...,yk,Zk)^0, 

if .J^ \= A, then lil"NK A. 

Proof. The existence of such a proof-term is an immediate consequence of Theorem 21 
(p. 14) in jT9]. Note that R^ only depends on k. □ 

We also check that: 

Proposition 5.9 (Existence of the prenex form). // A(xi, . . . , Xp) is a formula of first- 
order arithmetic depending on p first-order variables xi, . . . ,Xp, then there exists a natural 
number k >0 and a function symbol f of arity p + 2k such that the formula 

A'{xi,...,Xp) = 3^yi V^zi • • • 3^yfe V^Zfe f{xi,...,Xp,yi,zi,...,yk,Zk) ^ 

is logically equivalent to A{xi, . . . the sense that there are closed proof-terms ui,U2 

such that 

I-NK ui : V%i • • • V^Xp (A(xi, . . . ,Xp) =^ A'{xi, . . . ,Xp)) 
I-NK U2 : V%i • • • V%p (A'(xi, . . . ,Xp) ^ A{xi, . . . ,Xp)) . 

Proof. This theorem is the reformulation in the type system of Fig. [1] and [3] of the existence 
of prenex forms in first-order arithmetic. □ 
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From Prop. 15.81 and 15.91 we deduce the following: 

Proposition 5.10 (Existence of a conditional refutation). If A{x) is a formula of first- 
order arithmetic that only depends on a first-order variable x, then the predicate A{x) has 
a function of conditional refutation r^- 

Proof. From Prop. 15. 9| there exists a formula 

A'{x) = 3%V%---3Vv^z,. ^0 
with closed proof-terms ui,U2 such that: 

hNK ui : y^x {A{x) ^ A'{x)) and Knk U2 : V^x {A'{x) =^ A{x)) . 
It suffices to take = Ax . U2 x Rk (by Prop. 15. 8p . □ 

5.6. The method of the kamikaze. The witness extraction procedure presented in sec- 
tion l5.4l depends on two components: a function deciding the predicate A{x), and another 
function that conditionally refutes the predicate A(x). The critical component here is the 
decision function dA, since the function ta can be constructed for a wider class of formulae, 
i.e. for all arithmetic formute (cf section [53]) . 

In the case where we have a function of conditional refutation rA but no decision 
function for the predicate ^(x) — typically, when ^(x) is a non atomic arithmetic formula — 
we can still extract a possibly infinite sequence of 'witness proposals' from the universal 
realizer to III~nk V^x^(x) by systematically repudiating every proposed witness using the 
function of conditional refutation r^- 

This extraction method, which we call the method of the kamikaze, consists to apply 
the universal realizer to III~nk 3^xA(x) to the term Axy . print x (r^i x y) (using the 'print' 
instruction introduced in Remark 15. 4p . thus implementing in the language Ac the following 
algorithm: 

(1) Extract n G N and u IKnk A{n) from the universal realizer to- 

(2) Print n on some output device. 

(3) Try to backtrack by executing rA n u. 

The crucial point here is that there is no warranty that the piece of code executed at step 3 
will actually issue a backtrack, since we do not know whether ^A(n) is true. The only 
invariant we can ensure is the following: as long as the proposed witness n is incorrect, the 
refutation function rA is applied in agreement with its specification, so that step 3. will 
issue a backtrack. But as soon as a correct witness n has been reached, the current process 
becomes ill-typed, and then anything may happen: the process may enter an infinite loop 
(possibly displaying other numbers) as it may crash, for instance due to a stack underflow 
(by evaluating an abstraction or one of the instructions cc, ky^, print in front of an empty 
stack), or due to the fact that print is evaluated in front of a stack which does not start 
with a primitive numeral. 

Of course, the interest of the method is that the process that performs the blind extrac- 
tion of the successive witnesses proposed by the universal realizer to cannot go wrong until 
a correct witness has been reached. We can actually even show that this process eventually 
reaches a correct witness: 
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Proposition 5.11. If to is a universal realizer of 3 x A{x) and if rA is a function of 
conditional refutation of the predicate A{x), then for all stacks vr E 11 the process 

to * (Axy . print x {rA xy)) ■ n 

evaluates (in a finite number of steps) to a process of the form print *n ■ u-tt, where u G Ac 
and where n € N is such that A{n) holds in the full standard model. 

Proof. Let us take a stack vr G 11 and work in the pole defined by 

_IL = {p : 3n G N 3n G Ac |= A{n) A p y* print -kn-u- vr)} . 

Set S = {tt}. We first want to show that print * n ■ (rA n • vr G X for all n G N and for all 
V G |^(n)|. We distinguish the following two cases: 

• ^ \= A{n). In this case we have print :*rn • (r^nw) • vr G JL from the very definition of the 
pole X. 

• ^ ^ A{n). In this case, we have 

print *n • (rA^v) • vr >- {rAnv)-kTr y* rA^n-v-n G X 

from our assumption on rA combined with the fact that ^ ^ A{n). Hence we get 

print -k n ■ (rA n u) • vr G X by anti-evaluation. 
Prom this result we easily get 

Xxy . print X {r AX y) IHnk Vx ({x} => 74(x) => 5) 
and finally: to * {M Xxy . print x {rA x j/)) • vr G X. □ 

Let us note that the above proof relies in an essential way in the definition of a pole X 
that is not closed under evaluation, thus reflecting the fact that the process which performs 
kamikaze extraction is correct up to some point during evaluation. After this point has 
been reached — that is: when a correct witness has been printed — the realizability model 
gives us no invariant anymore about the execution of the current process, so that anything 
may happen. 

6. An example based on the minimum principle 

In this section, we give an example of witness extraction in the S^-case. 

An important aspect of the witness extraction procedure described in Prop. E3] is that 
the universal realizer to III~nk 3^x/(x) = does not need to be a proof-term in the sense 
of the type system of PA2+ — it just needs to be a universal realizer in the sense of classical 
realizability. Indeed, the naive method that consists to extract the Ac-term from the proof 
as is tends to produce highly inefficient code. On the other hand, many useful arithmetic 
lemmas have universal realizers that are much more compact (and much more efficient) 
than the realizers that would come from official proofs. 

For this reason, it is reasonable to isolate such lemmas during the extraction process, 
and to replace their official proof-terms (i.e. coming from derivations in PA2^) by universal 
realizers built by hand. In what follows, we shall illustrate this point with the minimum 
principle. 
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6.1. Notations. In PA2+, it is convenient to define the ordering relation x < y from 
Leibniz equality by letting 

x<y = m\nus{x,y) = , 
where minus is the binary primitive recursive function defined by the equations 

minus(x, 0) = X 
minus(0, s{y)) = 
minus(s(x), s(y)) = minus(x, y) 

Given a unary primitive recursive function symbol /, we express that / is a function 
from natural numbers to natural numbers with the formula 

Fun(/) = V^xnat'(/(.T)) = V.t ({.x} ^ VZ (({/(x)} ^ Z) ^ Z)) . 

It is easy to check that universal realizers of the formula Fun(/) are precisely the closed 
Ac-terms that compute the function /, namely: 

Lemma 6.1. Given a term t G Ag, the following assertions are equivalent: 

(1) For all u & Ac, n & li: t-kn-u-TT)^*u-kf{n)-'K (i.e. t computes f ) 

(2) t lll-]sfK Fun(/) (i.e. t universally realizes Fun(/)^ 

Proof. 1. ^ 2. immediately follows from the definitions of classical realizability. 

2. =^ 1. Let us assume that t III-nk Fun(/), and fix n € N, m € Ac and tt G 11. We define the 
pole X = {p : p >-* u-k f{n) ■ vr} and the falsity value S = {vr}, from which we easily check 
that u IhNK {f{n)} S. From our initial assumption, we have t HHnk {n} =^ ({/('^)} =^ 
S) =^ S, and thus t-^n ■ u ■ it e JL. □ 

Finally, we use the shorthand {x]y) = Xz.zxy to denote order pairs in Ac, keeping in 
mind that this construction can be used to prove (or realize) both conjunctions and numeric 
existential quantifications. 

6.2. The functional minimum principle. We now want to build a universal realizer of 
the formula expressing that a function from natural numbers to natural numbers reaches 
its minimum: 

MinPrinc = Fun(/) ^ 3^x V^y (/(x) < /(y)) 
(Note that the premise Fun(/) is crucial to prove/realize the result.) Since this formulation 
of the minimum principle is (classically) provable in PA2"'", we could take any proof-term 
of it as a universal realizer. In this case however, it is much more interesting to build a 
universal realizer by hand. 

For that, let us take a closed Ac-term test_le that performs the comparison of two 
primitive natural numbers, in the sense that 

, ^ ^ ^\u-kTr if n<m 

test_le -kn ■ m ■ u ■ V ■ n >- < 

yv-kTT otherwise 

for all n, m G N, n, f G Ac and vr G 11. (It is a straightforward exercise of programming to 
implement such a term in Ac.) 

Now, let us consider a closed Ac-term min_aux such that 

min_aux* / • A; ■ n ■ m ■ TT y* 

(n. An' . fn' (Am' . testJe mm' I (A; (min_aux/ fcn'm')))) • tt 
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for all /, k,n,m G Ac and vr € 11. Intuitively, such a Ac-term min_aux is a recursive function 
that takes the following arguments: 

• A realizer / IHnk Fun(/) (i.e. an implementation of /) 

• A continuation k IKnk ~'^^x\/^y (/(x) < f{y)) for backtracking. 

• The current witness proposal n. 

• The image m = f{n) of the current witness proposal. (We keep this argument across the 
recursive call to avoid recomputing it later.) 

When it is called with these arguments, the function min_aux returns an ordered pair (n, h) 
whose first component is the current witness proposal n, and whose second component is a 
function 

h = \n' . fn' {Xm' .test Je mm' I {k {mm_aux f kn' m'))) 

that takes a natural number n', computes its image m' = f{n') and compares it with m. 
In the case where m < m', the function h returns the identity term I, which is an obvious 
realizer of f{n) < f{n'). In the case where m' < m, the function / backtracks using the 
continuation k, and recursively calls min_aux with n' as the new witness proposal, and m' 
as its image by /. 

Note that there are several ways to implement the term min_aux in Ac- For instance, 
we can let 

min_aux = Y (Xrfknm . {n, Xn' . f n' (Xm' .test Jem m' I (k {r f kn' m'))))) , 

where Y = (Xyz . z{yy)){Xyz . z{yy)) is Turing's fixpoint combinatoiF^: or we can simply 
introduce min_aux as an extra instruction with the desired evaluation rule. Whatever the 
way we implement min_aux, we can check that: 

Lemma 6.2. Writing E = 3^x\/^y f[x) < f{y), we have: 

min.aux HHnk Vx (Fun(/) ^ ^ {x} =^ {f{x)} =^ E) . 

Proof. Fix a pole X and two realizers / IHnk Fun(/) and k IFnk and consider the 
property IH(m) defined by 

IH(m) : for all n G N s.t. f{n) = m, for all vr G 
we have: min_aux ★/•/c-n-m-vrGJL. 

We want to prove IH(m) by well-founded induction on m. For that, let us fix m G N, 
assume that Ill(m') for all m' < m, and take n G N such that /(n) = m and vr G \\E\\. 
From the evaluation rules of test_le, we can derive that 

testJe m m' I (/c (min_aux / A; n' m')) IHnk f{'n)<f{n) 

for all n',m' G N such that m' = f{n'), distinguishing cases depending on whether m < m' 
or m' < m, and using the induction hypothesis IH(m') in the second case. From this we 
successively get 

Am' .testje m m' I (A; (min_aux/ A; n'm')) IHnk Vy ({/(y)} ^ /(n) < /(y)) 
An' . / n' (Am' . testJe m m' I (A; (min_aux / /c n' m'))) IHnk (/('^) < /(y)) 
(n. An' . / n' (Am' . test_le m m' I (A; (min_aux / A; n' m')))) IKnk E 
(n. An' . / n' (Am' . test_le m m' I (A; (min_aux / A; n' m')))) * vr G JL 
hence min_aux ★/•A;-n-m-7rGX, by anti-evaluation. □ 

"'^^We using Turing's fixpoint combinator rather tlian Church's, since Turing's combinator is better suited 
for the call-by-name strategy. 
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Now we can set: 

min_princ = A/ . / (Am . ce (Afc . min_aux/ A; m)) . 

Intuitively, this function takes an implementation of /, computes the image m = /(O), 
captures the current continuation as k and then calls min_aux with as the initial witness 
proposal (accompanied with its image m = /(O)). 

Combining Lemma 16.21 and the property of adequacy (Prop. I3.10p with the derivable 
judgment 

z : Vx (Fun(/) ^ ^ {x} =^ {f{x)} E) 
l~NK A/./0(Am.a:(A/c.2;/fcOm)) : MinPrinc 
we immediately deduce that: 

min_princ IIKkk Fun(/) ^ (/(x) < /(y)) . 

6.3. A S^-consequence of the minimum principle. Let / and g be two functions from 
natural numbers to natural numbers. The minimum principle gives a simple argument to 
show the existence of a natural number x such that f{x) < f{g{x)), which is to take a 
point X where / reaches its minimum. In PA2"^, the argument is formalized as follows: 

z : MinPrinc, / : Fun(/), g : Fun(5r) Hnk 

zfiXnh.{n,gh)) : 3^x (fix) < fig{x))) 

Considering implementations / HHnk Fun(/) and g HHnk Fun(5) of the functions / 
and g, we thus get a universal realizer of the following Sj'-formula: 

min_princ/(An/i. (n,5n/i)) IIKnk 3^x {f{x) < f{g{x))) 
By Prop. 15.31 we know that the process 

Pq = m\n_pnnc f {Xnh . {n, g nh)) -k {Xxy .y [stop x)) ■ o 
computes the desired witness (which depends of course on / and g). 

6.4. Executing Ac-code. Fig. H] illustrates the execution of the above process po in the 
particular case where / and g are given by 

f[x) = \x- 1000| and g{x) = 2x + 1 . 

The process po was executed using the jivaro head reduction machine [23], a small inter- 
pretor of Krivine's Ac-calculus extended with many built-in primitives (mainly for arbitrary- 
precision arithmetic and string manipulation). We slightly altered the code of po in order 
to print intermediate witness proposals, so that the actual code of po is 

Pq = min_princ/ (An/i. * (Axy . print xy (stop x)) • o 

where print is the instruction mentioned in Remark 15.41 p. [20l 

As shown in the input script of Fig. HI each component of the process po is introduced 
as a new instruction given with its evaluation rule (using the command Define). Note that 
such definitions may be (mutually) recursive, which is the case here for the instructions 
min_aux and min.snd. The interest of using named instructions rather than anonymous 
Ac-terms is that we can more easily track when each piece of the code comes into head 
position during execution. 
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Input script 



Define I x = x ; ; 

Define pair x y z = z x y 

Define test_le = int_le :: 



(* Identity *) 
(* Pairing *) 

(* Alias for int_le primitive *) 



(* Realizing the minimum principle *) 

Define min_aux f k n m = pair n (min_snd f k m) ; ; 

Define min_snd f k m n' = f n' (\m' test_le mm' 1 (k (min_aux f k n' m'))) 

Define min_princ f = f (\n (callcc (\k min_aux f k n))) 

(* Take f(x) = In - 10001 and g(x) = 2x + 1 *) 

Define f n = int_le n 1000 (int_minus 1000 n) (int_minus n 1000) ; ; 

Define g n = int_mult 2 n (\m int_succ m) ; ; 

(* Universal realizer of \existsN x, f(x) <= f(g(x)) *) 
Define realizer = min_princ f (\n\h pair n (g n h)) ;; 



Trace On ; ; 

(* Perform Sigma~0_l witness extraction & print intermediate witnesses *) 
Eval realizer ; (\x\y print x y (stop x) ) ;; 



Output 



Evaluation statistics (instruction calls) 





1 

3 

7 

15 

31 

63 

127 

255 

511 

1023 

0.01 ! 

Final 



: stopped 
state: stop 



@ (Push) 419 

A (Grab) 68 

int_le 23 

pair 22 

f 12 

int_minus 12 

g 11 

intjnult 11 

int_succ 11 

min_aux 1 1 

1023 min_snd 11 

print 11 

test_le 11 

K (Restore) 10 

I 1 

callcc (Save) 1 

min_princ 1 

realizer 1 

stop 1 



Figure 4: Example of witness extraction using the j ivaro machine 



The output given in Fig. d] shows that during its execution, the process po successively 
tries the following guesses for x: 

Xq = 0, Xi = 1, X2 = 3, X3 = 7, X5 = 15, Xq = 31, 
xy = 63, xs = 127, xg = 255, xio = 511, xu = 1023. 

Since the last guess (xn = 1023) is a solution of the problem, the execution stops on the 
final state stop* 1023 • o, with the form predicted by Prop. 15. 3[ 

The choice of this particular sequence of guesses is explained as follows. 
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During the execution of the process po, the proof of 3 x (/(x) < f{g{x))) uses the 
guess Xi produced by the minimum principle as weh as the accompanying justification of 
the formula \/^y{f{xi) < f{y)) to build a realizer of f{xi) < f{g{x)). But when the latter 
is executed, it invokes the accompanying justification, that actually compares the values 
of Xi and g{xi) by /. In the case where f{g{xi)) < f{xi), the guess Xi was wrong, and 
the accompanying justification backtracks to the point where the minimum principle was 
invoked (using an embedded continuation k,r)- When restarted, the minimum principle can 
then propose Xj+i = g{xi) as a new guess. As a consequence, the process po produces its 
guesses Xi = g^{0) by iterating the function g until /(xj) < /(q(x-.))ri 

Note that this behavior is the same as the one we observe when treating the same 
example using Friedman's method or its refinements [3]. Of course, this similarity is not a 
coincidence since Friedman's translation is actually hard-wired in Krivine's semantics (as 
already pointed out in [25]), and we shall come back to this point with more details in 
sections [7] and [8l 

6.4.1. Evaluation statistics. Fig. H] also provides some statistics giving how many times 
each instruction has been called during evaluation. 

Not surprisingly, the most frequent operations are PuSH (419 times) and Grab (68 
times), the asymmetry between these coming from the fact that stack arguments are not 
only consumed by abstractions (Grab), but also by the instructions used by the program, 
which may be primitive (callcc, int_le, etc.) or defined by the user (pair, niin_aux, etc.) 

We can also see that our hand-made implementation of the minimum principle is opti- 
mal: the number of calls to the function f as well as the number of comparisons of images 
(by /) of guesses (using the instruction test_le) are both minimal. Moreover, the callcc 
instruction is called once during the whole execution, thus creating a unique continuation 
constant k^r (where |7r| = 2) that is used exactly 10 times (Restore), that is: once for each 
backtrack. 

We also tested this example by replacing the hand-made realizer of the minimum prin- 
ciple with an actual proof of it (in PA2+). The observed behavior remains the same, but 
the proof-term is much bigger and its execution is quite inefficient, mainly due to the arith- 
metic reasoning involved in the induction underlying the proof of the principle. (In the 
hand-made realizer, induction is performed at the meta-theoretic level, and thus has no 
cost during execution.) We can also notice that depending the way we use classical logic in 
the proof of the minimum principle, the corresponding proof-term may invoke several times 
the call/cc instruction, or only once as in the hand-made realizer. 

7. InTUITIONISTIC second-order ARITHMETIC 

We now define a type system for intuitionistic second-order arithmetic (HA2), as well as a 
realizability model that closely follows the traditional Brouwer-Heyting-Kolmogorov inter- 
pretation. As in [25], we introduce a primitive form of conjunction (as a Cartesian prod- 
uct) and primitive forms of first- and second-order existential quantification (as infinitary 
unions) . 



Note that although each guess Xi claims to be a point where / reaches its minimum (until the context 
proves it wrong and forces backtrack), none of them — including the last one — is such a point, since / takes 
its minimum for x — 1000. 
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7.1. The language of formulae. The language of arithmetic expressions of HA2 is the 
same as for PA2 (Fig. [1]), and it is equipped with the congruence e = e' generated from the 
same equations (cf section 12. 2p . The language of formulae is now the following: 

Formulae A,B ::= null(e) | nat(e) | X{ei,...,ek) 

I A=^B I \/xA I yXA 
I AAB I 3xA I 3XA 

To the language of formulae of PA2 (Fig. [T]) we add: 

• A new predicate symbol nat(e) to give a type to the Peano-style numerals we shall intro- 
duce in the language of proof-terms. 

• A primitive conjunction A A B that we shall interpret in the intuitionistic realizability 
model as a type of pairs. 

• Primitive forms of first- and second-order existential quantification that will be interpreted 
in the model as infinitary unions (as in |25j). 

In this setting, the units T and _L are defined with the shorthands T = 3ZZ and _L = yZZ, 
whereas numeric quantifications are defined as 

V^xy4(x) = Vx (nat(x) ^ A{x)) 

3^x A{x) = 3x (nat(x) A A{x)) 

7.1.1. The congruence A = A' . The congruence A = A' over the class of formulas of HA2 
is defined from the defining equations of the primitive recursive function symbols of the 
signature, plus the three equations 

nun(O) ^ T = 3ZZ null(s(e)) ^ ± = ^ZZ 

and (3vA{v))^B ^ "iv {A{v) ^ B) 

where v is any first- or second-order variable that does not occur free in B. We shall 
see that the second equation is not only consistent with the interpretation of existential 
quantifications as infinitary unions (cf section 17. 4p , but that it is also crucial to establish 
Prop. EM 

7.2. A type system for intuitionistic second-order arithmetic. We introduce an in- 
tuitionistic (and more traditional) proof system based on a judgment of the form F h^j t : A, 
where the proof-term t is now formed in the pure A-calculus enriched with the following 
constants: pair (pairing), fst (first projection), snd (second projection), (zero), s (succes- 
sor) and rec (recursor). In what follows we shall write {t;u) for the application palrtu, and 
denote by A the set of all closed proof-terms. Typing contexts are simply defined here as 
finite ordered lists of declarations of the form F = xi : Ai, . . . ,Xn '■ An where 

pairwise distinct proof-variables. 

The class of derivable judgments F Knj t : A is inductively defined from the rules of 
inference of Fig. [5] (writing V^X74(x) = Vx (nat(x) A{x))). Note that there is no elimi- 
nation rule for first- and second-order primitive existential quantification, since the desired 
elimination can be performed using the conversion rule Mv {A{v) =^ B) = {3v A{v)) =^ B 
(where v ^ FV{B)). 
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The language of HA2 



Formulae 

Proof-terms 

Contexts 



A,B ::= X{ei,...,ek) \ null(e) | nat(e) 
I A^B I VxA I yXA I 3xA 



3XA 



t, u :: 
r :: 



X I Xx .t 
fst I snd 



tu 




pair 
s I rec 



::= I r,x:A 
The congruence A = A' 



nuU(O) ^ T null(s(x)) ^ _L {3v A) ^ B ^ yv {A ^ B) {v i FV{B)) 

Abbreviations 

T = 3ZZ y^xA{x) = \/x {nat{x) ^ A{x)) 
± = yZZ 3^xA{x) = 3x (nat(x) A 
e = e' = \/Z{Z{e) ^ Z{e')) 

Typing rules 

r hNj t : ^ 



r l-Nj X : A 



{x:A)er 



r hNj t : A' 



r l-Nj pair : A^ B ^ AaB 



r 1-Nj fst : ^ A S ^ ^ 



r l-Nj : nat(O) 



r l-Nj snd : A A S ^ S 



r hNj s : V^x nat(s(x)) 



r hNj rec : VZ (Z(0) 
r,x : A\-^j t : B 



r hj^.T Xx.t : A^ B 



r hNj t : ^ 

r i-N.i t : yxA 



x^FV{r) 



{Z{y)^Z{s{y)))^y^xZ{x)) 

T\-Njt:A^B r l-Nj M : ^ 
r l-Nj tu : B 

r hNj L : V,r .4 



r hNj t : .4 



r hNj i : A{x := e} 

r hNj t : yxA 



r hNj t : yxA 

r hNj t : A{x := e} 



r hNj i : A{X{xi,...,Xk) -B} 
rhNj t : A{X{xi,...,Xk) -B} 



r 



/ : 3x A 



r 



W.I 



/ : 3XA 



Figure 5: Intuitionistic second-order arithmetic (HA2) 
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The type system of HA2 is expressive enough to provide typable proof-terms for ah the 
theorems of intuitionistic second-order arithmetic. (The specific axioms of arithmetic are 
treated the same way as in PA2.) 

7.3. Weak reduction and inner reduction. Proof-terms of HA2 are equipped with a 
binary relation of one-step weak reduction written t t' and defined from the rules 

(Ax . t)u >w t{x := u} rec uq ui uq rec uq ui (s t) y-^ ui t (rec uq ui t) 

fst (ti; ^2) >-w ti snd (ti; Hu h tu t'u tu >w tu' 

Note that weak reduction is allowed both in the left- and right hand-side of applications, 
but not below A-abstraction (i.e. we disable the .^-rule of A-calculus). We write the 
reflexive-transitive closure of one step weak reduction. 

Lemma 7.1. If t y-^ t' , then t{x := u} ^„ t'{x := u} (for all terms u). 

Proof. By induction on the derivation oit>wt'. □ 

Complementarily to the notion of weak reduction, we also deflne a relation of inner 
reduction written t t' from the rules: 

t >w t' t '^i t' u H u' t yj t' 

\x .t>-i \x . t' tu >~i t'u tu >-i tu' \x .t >~i Xx . t! 

The reflexive-transitive closure of the relation of inner reduction is written >-* while its 
reflexive-symmetric-transitive closure is written =j. 

The union of both relations >w and )~i is the ordinary relation of one step reduction, 
written By the standard method of parallel reductions we get: 

Proposition 7.2. The relation y is confluent. 

We now want to deduce from this proposition a result of confluence for weak reduction 
modulo inner reductions. For that, we flrst need to show that inner reductions can be 
postponed, in this sense that any flnite sequence of (weak and inner) reductions can be 
decomposed into a flnite sequence of weak reductions followed by a flnite sequence of inner 
reductions. Following Takahashi [28], we shall prove this result by introducing a notion of 
parallel inner reduction, written t >~i t' and deflned from the rules: 

ty-yjt' t yj t' u^i u' t yi t' 

t >~i t Xx .t >~i \x .t' tu >~i t'u' Xx .t >-i Xx . t' 

From this deflnition it is clear that {>-{) C C (>-»*), so that = (>-/*). We flrst 

check that parallel inner reduction enjoys the expected property of substitutivity: 

Lemma 7.3. If t >-i t' and u >-/ u' , then t{x := u} >-/ t'{x := u'}. 

Proof. By induction on the derivation of t yj t'. □ 

Proposition 7.4. If t >-j t' >w u, then t uq >-/ u for some term uq. 

Proof. By induction on the derivation of t' >-w u- D 
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Corollary 7.5 (Postponement). If t y* u, then t >-* uq y* u for some uq. 

Proof. We first show that if t >~i t' >~* u, then t >-* uq >~i u for some uq, by induction 
on the number of reduction steps in t' >-* u using Prop. 17.41 From this we deduce the 
desired property by induction on the number of reduction steps in t y* u, using the fact 
that {H*) = □ 

From Prop. [7?2] and Coroharv 17.51 we immediately get: 

Proposition 7.6 (Confluence of >--w modulo =j). It t >--* ti and t t2, then there are 
terms t\ and t'2 such that ti >-* t'l, t2 t'2 and t[ =j tg. 



7.4. The intuitionistic realizability model. We now build a simple realizability model 
for the type system defined above, in which formulas are interpreted as saturated sets of 
terms, that is, as sets of closed proof-terms S C. A such that both conditions t y^, t' and 
t' G S imply t € S. The set of all saturated sets is written SAT. 

Here, a valuation is a function p whose domain is a finite set of (first- and second-order) 
variables, such that: 

• p{x) G N for every first-order variable x € dom{p); 

• p{X) : SAT for every fc-ary second-order variable X € dom(/>). 

Parametric expressions, formulae and contexts are defined as before. Every closed parametric 
formula A[p] is interpreted as a saturated set [[^[p]]] G SAT that is defined by the expected 
equations 

[X(ei,...,efc)[p]l = p(X)(Val(ei[p]),...,Val(efc[p])) 

'a if Val(e[p]) = 
if Val(e[p]) / 

t >-* s"0, where n = Val(e[p])} 
Vne[A[p]l tuelB[p]}} 

3tielA[p]j 3t2elB[p]jty: {tr,t2)} 



InuU(e)H] = 

[nat(e)[/9]l = {t e A 

liA^B)[p]j = {teA 

l{AAB)[p]j = {teA 



l(yxA)[p]j = f]lA[p;x^n]j li^XAMj = f| lA[p;X^F]j 

neN F:N'=^SAT 

l{3xA)[p]j = \JlA[p;x^n]j l{3XA)[p]j = (j lA[p;X^F]j 

neN F:N'=^SAT 

In what follows, we shall write t IHnj A[p] for t G [[^[/j]]. 

Lemma 7.7. If A and A' are two formulcB of IIA2 such that A = A' , then for all valuations p 
closing A and A' we have \A[p\^ = \A'[p^. 



7.5. Adequacy. Given a substitution a and a closed parametric context T[p\, we write 
a IHnj T[p] when dom(r) C dom((7) and (t{x) IKnj A[p\ for all {x : A) ^ T. We say that: 
• A judgment F Knj t : vl is sound when for all valuations p and for all substitutions a 
such that a IKnj F[p], we have t[a-\ IKnj A[p\. 
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• An inference rule q'^ (where Pi, . . . ,Pn and C are typing judgments) is sound when 
the soundness of its premises Pi, . . . , P„ (in the above sense) imphes the soundness of its 
conclusion C. 

Proposition 7.8 (Adequacy). The typing rules of Fig. \^ are sound. 

From this result, we immediately get: 

Proposition 7.9 (Witness property). // Knj t : 3^x null(/(x)), then there are a number 
n S N and a closed term u such that f{n) = and t (s"0;ti). 

Proof. Prom the definition of the denotation of the formula null(/(x)) = 3x (nat(x) A 
null(/(x))) in the realizability model, we know that there are a number n G N and a term 
u ^ A. such that t >-* (s^O;^) and u G [[null(/(n))]]. Which means that the denotation 
|null(/(n))]] is inhabited, so that /(n) = (by definition of the interpretation of the predi- 
cate null). □ 



8. The negative translation 



8.1. Translating formulae. We now define a negative translation of the formulae of PA2+ 
(Fig. [Hand [3]) into formute of HA2 (Fig. [5]). We do not consider the usual double negation 
translation, but Streicher and Oliva's negative translation [25], that is designed to mimic 
Krivine's realizability in intuitionistic logic. Technically, this translation is parameterized 
by a fixed formula R (of HA2) that is intended to represent the pole _IL. In what follows, 
we write ^rA as a shorthand for yl P. 

Every formula A of PA2^ is translated as two formula of HA2, written A~^^ and A-^. 
Intuitively, the intuitionistic formula A^ represents the type of stacks facing a classical 
proof of A] it is mainly built using the connective A (representing the operation of consing) 
and from the two primitive forms of existential quantifications in HA2 (corresponding to 
universal quantification from the point of view of stacks). The intuitionistic formula A~^^ — 
that represents the type of classical proofs of A — is uniformly defined by A~^^ = ^rA-^. 
Formally: 

Definition 8.1 (Definition of the negative translation). The formula A-^ is defined by 
induction on A by the equations 

(X(ei ,...,ek))^ = X{ei , . . . , e^) (nun(e))^ = nun(neg(e)) 

{A =^ B)^ = A^^ A (Vx A)^ = 3x A^ 

({e} ^ B)^ = nat(e) A B^ (VX A.)^ = 3X A^ 

(using the unary function 'neg' defined in section [2TT|l . whereas the formula A'^^ is defined 
as A-^^ = ^rA-^ = A^ ^R. 

Remark 8.2. Notice that through this translation, we have 

{\/vA{v)y^ = 3vA{v)^^R ^ ^v{A{v)^^R) = Vt; (^(u)^^) , 

using the specific commutation rules of HA2. These conversions are crucial for the transla- 
tion of the introduction and elimination rules of first- and second-order universal quantifi- 
cations in the proof of Prop. 18. 6[ 

We first check that the translations A ^ A-^ and A ^ A~^^ are substitutive: 
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Lemma 8.3 (Substitutivity). For all arithmetic expressions e and for all formulce A and B 
of PA2+: 

(1) {A{x := e})^ = A^{x := e) 

(2) {A{x := e})-- = A--{x := e} 

(3) {A{X{xi,...,Xk) ■.= B})^ = A^{X{xi,...,Xk) := 5^} 

(4) {A{Xixi, ...,Xk):= B})- = ^--{X(xi, ...,Xk):= B^} 

Proof. Item 1 is proved by induction on A, and item 2 immediately follows from item 1 
(since A~^^ = A-^ =^ R). The same for item 3 and item 4. □ 

It is a simple exercise to check that: 

Lemma 8.4. IfA^A' (PA2+ ), then A^ ^ A'-^ and A^^ ^ A'^^ (HA2). 

Proof. This is obvious for the defining equations of function symbols (that are the same in 
both systems) since the translation does not affect arithmetic expressions. We only have to 
check that 

(null(s(e)))^ = nun(neg(s(e))) ^ null(O) ^ 3ZZ = {^ZZ)^ = (±)^ . 

The rest of the proof proceeds by a straightforward induction. □ 

We finally extend the translation A ^ A~^^ to a translation T ^ F"'"' that transforms 
any context T of PA2+ into a context F"'^ of HA2. This translation is defined by induction 
on the length of T as follows: 

0-- = 
{T,x:Ay^ = r^^,x:^^^ 
(r,x:{e})~'^ = r~'^, X : nat(e) . 

8.2. CPS-translating terms and stacks. To define the translation of proof-terms, we 
introduce the convenient shorthand 

let (x; y) = u\U t = {Xxy . t) (fst u) (snd u) ('destructing let') 

We first define a translation t ^ t* from proof-terms of PA2"'" (Fig. [1] and [3]) into proof-terms 
terms of IIA2 (Fig. [5]) . We will later extend this translation to continuation constants /ctt 
and stacks. Formally: 

Definition 8.5 (Translation of proof-terms). We associate to every proof-term of PA2^ a 
proof-term t* of HA2 that is inductively defined by: 

x* = x 
{tuY = Xk.t*{u*;k) 

(Xx.t)* = Xk .let {x;k') = k m t* k' 

(ce)* = Xk . let (x; k') = k\nx {{Xk" . let {y; _) = k" In y k'); k') 

(n)* = s"0 

(s)* = Afc.let {x;k') = k \n 

let {y;k") = k' in y{sx- k") 

(rec)* = A/c.let (zo;/c') = A; in 
let {zi]k") = k' in 

let {x; k'") = k" in reczo {Xx'yko . z\ {x'\ {Xk\ .yk\_\ /cq))) x/c'" 
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Notice how the destructing let is used to mimic the destruction of the stack represented 
by the continuation variable k. Also note that the translation of the constant n does not 
start with a continuation abstraction Xk . . ., which reflects the fact that this construct is 
not intended to appear in head position. 

We can now prove the following: 

Proposition 8.6 (Correctness w.r.t. typing). IfV I-nk t : A in PA2^ , then F"" Hnj t* : A~"^ 
(in the sense of Fig. 

Proof. By induction on the derivation, distinguishing cases according to the last applied 
rule. We first treat the cases of the rules of Fig. [TJ 

• Axiom. Immediate, since x* = x. 

• Conversion. Immediately follows from Lemma 18.41 

• =^-intro. The desired judgment comes from the following derivation: 

; (IH) 

(r, X : Ay^ l-Nj t* : B^~' 



r^^, k : A^^ A B^, X : A^^, k' : Knj t* : B^ ^ R 
r^^, k : A^^ AB^, x: A^^, k' : B^ Knj t* k' : R 
r^^, k ■ A^^ A B^ l-Nj let (a;; k') = k m f k' : R 
hNj Xk . let {x; k') = k \n t* k' : (A ^ Bp^ 

(Xx.t)* 

(In the derivation above, we omit obvious branches and indicate uses of the admissible 
rule of weakening with a double bar.) 

=>-elim. The desired judgment comes from the following derivation: 



l~NJ t* 



: (IH) 

(IH) Knj u* : A- 



{A ^ By^ r^-, k : B^ hNj u : A 



r^"', k : B^ l-Nj t* : A'^^ A B^ ^ R T^^, k : B^ Knj (m*; it) : A'^^ A B^ 
r^^, k : B^ 1-N.T t* {u*;k) : R 
l-Nj Xk.t* {u'-k) : B^^ 

{tuY 

V-intro (1st order). The desired judgment comes from the derivation 

: (IH) 



l-Nj t* : Vx M^^ , , . 

— , , (Remark 

r-- hNj t* : {yxAy- ^ — ^ 

V-elim (1st order). The desired judgment comes from the derivation 

: (IH) 

r-- hNj f : (yxA)- 



l-Nj f : yx(A'^^) 



(Remark [O 



I-NJ t* : A^^{x := e} 

— -— — — fLemma 8.3 

hNJ f : iA{x := e})^^ ^ 
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V-intro (2nd order). The desired judgment comes from the derivation 

; (iH) 

hNj t* : A-^^ 



^ ' (Remark IM 



r^^ hNj t* : {yxAY 
V-ehm (2nd order). The desired judgment comes from the derivation 

: (IH) 

r^^ hNj t* : {vxAy 



hNj t* : VX(^^^) 



(Remark [83 



r- hNj t* : A-{X{xi, ...,Xk)~ B^} 

— I Lemma l8.3 



l-Nj t* : {AX{xi, ...,Xk)~ B}y 

Peirce's law. Let us use the shorthand Uk' = AA;" . let (y; _) = k" in yk'. The desired 
judgment comes from the derivation 



k' : A^, k" : A-^^ AB^, y : Knj y k' : R 
k' : A-^, k" : A^^ A B^ Kn,! let {?/;_) = k" \n y k' : R 
k' : A^ hNj Xk" . let {y; _) = k" \n y k' : {A ^ By^ 
x:(A^ By^ AA-^ ^ R, k' : A-^ h^j uy : {A B)^^ 
x:{A^ By^ AA^ ^ R, k' ■ A^ l-Nj (Ufe/; k') : {A By^ A A^ 
X : {A^ By^ AA-^^R, k' : A^ Knj x (ufc.; k') : R 
k:{{A^B)^ Ay^ AA^, x: {{A ^ B) ^ Ay^ , k' : A^ |-nj x (ttfc,; k') : R 
k:{{A^B)^ Ay^ A A-^ l-Nj let (x; k') = km x {uy; k') : R 
l-Nj \k . let {x;k') = kmx {uy; k') : ({{A ^ B) ^ A) ^ Ay^ 
1-N.i Afc.let {x;k') = fc in x{uk-\ k') : {{{A ^ B) ^ A) ^ Ay^ 



Let us now treat the rules of Fig. [3j 

• {_} =>-intro. The desired judgment comes from the derivation: 

; (IH) 

(r, X : {e}y^ hNj t* ■ B^^ 



r^", k : nat(e) A B^ , x : nat(e), k' : B^ Knj t* : B^ ^ R 
r^^, k : nat(e) A B^ , x : nat(e), k' : B^ Knj t* k' : R 
r^", k : nat(e) A B^ hNj let {x; k') = k\nt* k' : R 
l-Nj Afc . let {x; k') = k \n t* k' : ({e} ^ By^ 

{Xx.ty 

{_} ^-elim-1. The desired judgment comes from the derivation: 

: (IH) 



1-N.i t* : ({e} By^ r^^, fc : l-Nj X : nat(e) 



k : B^ l-Nj t* : nat(e) A B^ ^ R F^^ , k : B^ Knj {x; k) : nat(e) A B^ 
r^^, k : B^ l-Nj t' {x;k) : R 
l-Nj Xk.t* (x-k) : B^^ 
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• {_} =>-elim-2. The desired judgment comes from the derivation: 

: (IH) 

Knj t* : {{n} => By^ T^^, fc : B-^ |-nj s"0 : nat(n) 

r^^, k : hNj t* : nat(n) h B^ ^ R T^^, k : B^ Knj (s" 0; k) : nat(n) A B^ 
r^^, k: B^ l-Nj t* {s"Q-k) : R 
hNj Xk.t* {s"0;k) : B^^ 

{thy 

The cases of s and rec are left to the reader. □ 

8.2.1. Extending the translation to the full Xc-calculus. We now extend the translation 
t t* defined on the proof-terms of PA2+ into a full translation of the Ac-calculus. For 
that, we close the set of instructions fC by letting 

/C = {ce; s; rec; stop} U {n : n G N} , 

and we close the relation of evaluation y by defining it as the union of the rules (Grab), 
(Push), (Call/cc), (Resume), (Succ), (Rec-0) and (Rec-S). 

Formally, we define by mutual induction on t and vr two translations t ^ t* (where t 
now ranges over all terms of the Ac-calculus) and vr i— > vr* by adding to the equations of 
Def. 18.51 the following: 

(k^)* = Afc.let = A; in xvr* {of = 

stop* = Xz.z (t - vr)* = {t*; vr*) 

Stacks are translated here in the obvious way, that is: as finite lists. Note that the bottom 
of the stack o could be translated by any closed term as well: it has no evaluation rule, and 
it is not involved in the type system of PA2. On the other hand, we translate stop as the 
identity term, and this choice will be important in the analysis of section 18. 4[ 
Finally, processes are translated by letting: 

(t*vr)* = t*vr*. 



8.3. Simulation of evaluation by weak reduction. The expected property would be 
that each evaluation step ti*vr2 >- t2*TT2 in Ac corresponds to one or several weak reduction 
steps tl irl t2 through the CPS-translation. Although this works for almost all the 
evaluation rules (application, abstraction, call/cc, continuation and successor), the property 
does not hold for the rule (Rec-s) so that we need to refine a little bit more. 

Proposition 8.7 (One step simulation). Ifti-kni y t2-*:TT2 (one step evaluation in Xc), 
then t J vr >-J" t2U ( weak reduction ) for some term u = « vr2 . Moreover, for all rules but 
fSucc-s), we have u = ttI. 

Proof. We distinguish cases according to the applied rule. The cases of abstraction, appli- 
cation, call/cc and continuation constants are easy — they do not involve inner conversion 
steps — and standard [25], so that we do not treat them here. Let us consider the evaluation 
rules dealing with primitive numerals. 
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• Rule (Succ) We have: 

(s*n-u-7r)* = s* (s"0;(n*;7r*)) 

>-* u*(s"+iO; vr*) = (n*nTl-7r)* 

• Rule (Rec-0) We have: 

(rec + iio • ui • • tt)* = rec* (uq; (n^; (0; vr*))) 
y* recu*QT[ul]OTT* 
K ^0^* = (^io*vr)*, 

writing T[z\ = Xx'yko . z {x'; {Xki . y ki; /cq))- 

• Rule (Rec-s) We have: 

(rec*no • til • rT+l • vr)* = rec* (nj; (u^l;; (s"+^ 0; vr*))) 

y* rec u*oT[ul] {5''+^ 0)Tr* 
y* (s"0;(AA:i.recu^T['uJ](s"0)A:i; tt*)) 

Moreover: 

nt(s"0; (AA;i .recu5r[uj] (s'^O) fci; tt*)) 
=i Ui(s"0; {Xki . (recuouin)* ki; vr*)) 

=j (s" 0; ((rec uo ui n)*; vr*)) = (ui ★ n • (rec uq ui n) • vr)* 

(In the second last line, we mimic r^-reduction with an inner reduction step, using the 
fact that the term (rec ''^i ^)* is an abstraction). □ 

Corollary 8.8 (Grand simulation). If ti-kiri y* t2 *it2 (evaluation in Xc), then t* vr]' y* u 
(weak reduction) for some term u =j t2TT2- 

Proof. By induction on the number of evaluation steps, using Prop. 18.71 and Corollary 17.51 
for the induction case. □ 

8.4. The negative interpretation of classical witness extraction. Let us now rein- 
terpret the classical witness extraction method described in section [5^ through the negative 
translation defined above. 

For that, let us consider a closed classical proof term to such that 

hNK to:3^x/(x)=0 

(where 3^xf{x) = = VZ(Vx({x} ^ f{x) = ^ Z) ^ Z)), and let us analyze the 
behavior of the process 

Po = to -k {Xxy . y {stop x)) ■ o 
that performs witness extraction (by Prop. 15. 3p through the negative translation of sec- 
tion (HTT] and the CPS-translation of section [8^21 (We can end pq with the empty stack from 
the results of section [531 ) 

In the sequel, we write u = Xxy . y (stop x). 
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8.4.1. Typing the process {po)* ■ From Prop. [8^ we get 

Knj t*Q : Vy (yx (nat(x) A (/(x) = 0)^^ AY ^ R) AY ^ 

(writing conjunction right- associative) , so that by instantiating Y with T: 

Hnj tl : Vx (nat(x) A (/(x) = 0)^^ AT ^ R) AT ^ R. 

Let us now fix the pole R by letting R = 3^x null(/(x)). Since stop* = \z . z, we can give 
it the type 

l-Nj stop* : Vx (nat(x) A nun(/(x)) R) , 
which is precisely the introduction rule of numeric existential quantification. (Remember 
that R = 3^xnull(/(x)) = 3x (nat(x) A null(/(x))).) 

Thanks to this, we can typecheck through the CPS-translation all the constituents of 
the term u. We first have 

X : nat(x) Knj (stopx)* : null(/(x)) =^ R. 

Moreover: 

y : (fix) = 0)- hNj y : VZ ((Z(/(x)) ^ R) A Z{0) r) 

(using the definition of Leibniz equality, the axiom rule and the conversion rule) , so that by 
instantiating Z{x) with null(x) we get 

y : {fix) = 0)- hNj y : (nun(/(x)) ^ R) AT ^ R 

We thus have 

X : nat(x), y : (/(x) = 0)"" Knj (y (stopx))* : T ^ R 

and finally: 

hNj u* : Vx (nat(x) A (/(x) = 0)^^ AT ^ R) 
We can now typecheck the term (n • o)* 

Hnj {u ■ o)* = (n*; 0) : (nat(x) A (/(x) = 0)^^ A T ^ ii) A T , 

so that l-Nj Pq = to • 

This shows that the CPS-translation of the process described in Prop. 15.31 is actually 
an intuitionistic proof (in HA2) of the formula R = 3^x null(/(x)). From Prop. 17. 9( we 
thus know that the term (po)* weakly reduces to a pair whose first component is the desired 
witness. 

Through the CPS-translation defined in section [8^21 the extraction method described in 
section [5^ thus amounts to transform a classical proof-term to of the formula 3^x/(x) = 
into an intuitionistic proof-term tg (n* ; 0) of the same formula (up to the coding details of nu- 
meric existential quantification and of the predicate expressing the nullity of its argument). 
Here we can see the essential ingredients of Friedman's transformation: 

• The use of a negative translation to transform a classical proof to of a S^-formula into an 
intuitionistic proof tj of a more complex formula. 

• The choice of the return formula R (the pole), that is precisely defined as the formula we 
want to prove intuitionistically. 

• The key use of the introduction rule of numeric existential quantification (here via the 
term stop* = Xz . z) to return the desired result. 
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9. Conclusion 



9.1. Prom BHK semantics to Krivine's semantics. Friedman's extraction method 
consists to transform a classical proof of an existential formula into an intuitionistic proof of 
the same formula. Its main drawback is that the underlying CPS-transformation makes the 
resulting program much bigger than the originating proof, and more difficult to understand. 

For this reason, much attention has been devoted to the optimization of the extracted 
code. The typical approach is refined program extraction [3J, that relies on a clever analysis 
of formulae in order to minimize the insertion of negations during the translation. In practice, 
such an approach gives much better programs than Friedman's method, typically when 
considering examples such as the one we treated in section [H However, the approach of 
refined program extraction ultimately remains intuitionistic, since the extracted program 
is built and analyzed according to the traditional Brouwer-Heyting-Kolmogorov (BHK) 
semantics, using the tools of intuitionistic realizability (i.e. the mathematical expression of 
BHK semantics). 

In this paper, we have proposed another approach, which is to extract a program from a 
classical proof directly, by interpreting classical reasoning principles with control operators. 
The price to pay is that the computational meaning of the extracted program cannot be 
analyzed within the traditional BHK semantics anymore. For that, we proposed to use 
Krivine's theory of classical realizability, that constitutes a genuine alternative to BHK 
semantics for classical logic. 



9.1.1. A negative semantics for classical programs. It has already been pointed out [25] 
that Friedman's negative translation is hard-wired in Krivine's semantics. Taking the no- 
tations of section [H we get the correspondence: 

Krivine's semantics Friedman's translation 

The pole X The formula R 

Falsity value ||^|| Formula A-^ 

Truth value \A\ = \\A\\^ Formula A^^ = A^ ^ R 

Classical proof-term t CPS-translated term t* 

In this paper, we have shown that the correspondence can be lifted up at the level of the 
witness extraction methods, in the sense that the natural extraction method that comes 
with Krivine's machinery (section 15. 2p is, up to a CPS-translation, the same as Friedman's 
(provided we use Streicher and Oliva's negative translation instead of the traditional not-not 
translation) . 

However, Krivine's semantics is more subtle than the composition of a negative trans- 
lation with the standard BHK interpretation, since the way it is formulated makes the 
negative translation implicit. Thanks to this, it is possible to reason about classical pro- 
grams directly. We illustrated this point with the witness extraction procedures presented 
in section [5] and with the construction by hand of a universal realizer of the minimum 
principle in section [6l 

It should also be noted that Krivine's semantics is compatible with the usual deduction 
rules of intuitionistic logic, as soon as they are formulated in FA2 style In particular, 
the typing rules of Fig. [T] but the last one (Peirce's law) are the usual Curry-style typing 
rules of intuitionistic minimal logic, formulated the usual way. Any intuitionistic proof- 
term that is well typed in FA2 is not only correct w.r.t. the usual intuitionistic realizability 
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semantics of FA2 [T4j, but it is also correct according to Krivine's semantics. The latter 
departs from the traditional BHK semantics only when classical reasoning is involved. 

9.2. Executing extracted programs. In our approach, extracted programs are not or- 
dinary A-terms, but A-terms with control operators that need to be evaluated according to 
a strict call-by-name discipline. Specific tools are thus required to execute therrF^. 

The main implementation difficulty comes from stacks, whose machine representation 
has to be carefully designed in order to avoid unnecessary duplications when call/cc is 
executed. Fortunately, control operators have been introduced in programming languages 
long before the discovery of their connection with classical logic, and we can benefit from 
the many implementation strategies that have been proposed since. To illustrate this, we 
shall discuss two of them. (For a survey on the different ways to implement control, see |4j.) 

9.2.1. Stacks as chained lists. The simplest way to implement stacks is to represent them 
as heap-allocated chained lists of closures. With this representation, call/cc comes for free 
since it simply consists to make a copy of the current stack pointer. The main advantage 
of this method is that it naturally maximizes the possibility of sharing large final segments 
of stacks. Its main drawback is that each Push operation requires the allocation of a small 
block on the heap, which block is subject to later garbage collection. Moreover, the resulting 
fragmentation of the stack may considerably degrade cache performance. 

However, the simplicity of this approach makes it well-suited for a small interpreter 
intended to quickly test small examples. This is this design that is currently used in the 
jivaro machine [23] . 

9.2.2. The stack/heap model. In the perspective of implementing a real compiler of Ac- 
programs, a more realistic representation of stacks is given by the stack/heap model [1], 
where the logical stack is physically split in two parts: 

• A stack cache, that consists of a mutable array of closures representing the topmost part 
of the logical stack. This stack cache lies in a fixed zone of the memory, and works almost 
as the ordinary system stack. 

• A far stack, that represents the rest of the logical stack in the heap as a chained list of 
non mutable blocks containing stack chunks. As for all the other heap-allocated blocks, 
the stack chunks of the far stack may be shared and are subject to garbage collection. 

The underlying idea of the stack/heap approach is that during execution, almost all the 
operations on the logical stack take place in the stack cache, the manipulation of the far 
stack being exceptional. Pushing an argument onto the stack proceeds in the stack cache 
as usual, as well as grabbing the topmost element. The difference is that in the latter case, 
the cache may underfiow, in which case we need to refill the cache by copying the contents 
of the first block of the far stack. (After copying, the far stack pointer should point to the 
next block). With this approach, call/cc only needs to make a copy of the stack cache into 
a newly heap-allocated block. The pointer to this newly allocated block then becomes the 
corresponding continuation constant as illustrated in Fig. [6l Restoring a formerly saved 



We cannot directly use the interpreters and compilers dedicated to popular functional programming 
languages such as LISP, Caml, SML or Haskell, since these tools implement either the call-by- value discipline 
or the call-by-need discipline. 



EXISTENTIAL WITNESS EXTRACTION 



45 



Before executing call/cc 
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Figure 6: Execution of call/cc in the stack/heap model 



stack thus consists to clear the stack cache and to let the far stack pointer point to the 
first continuation block. (The stack cache will then be automatically refilled with the next 
Grab operation.) 

The interest of this approach is that call/cc only needs to copy the part of the stack that 
has been used since the last execution of a control operator. The authors of [3] consider that 
this approach is a zero overhead approach, in the sense that it adds a negligible overhead to 
the most frequent operations Push and Grab, compared with the traditional single-chunk 
stack model. 



9.2.3. On the frequency of control in classical proofs. The above discussion about im- 
plementation issues raises a strong argument in favor of using Ac for interpreting classical 
proofs. A quick look at the classical proofs of well-known theorems shows that classi- 
cal reasoning is definitely not used with the same frequency as intuitionistic reasoning. 
Purely intuitionistic reasoning (introduction/elimination of connectives and quantifiers, in- 
duction. . . ) appears everywhere, whereas classical reasoning principles are only used at 
some few strategic places. In some sense, one can consider that actual mathematics are 
more quasi-intuitionistic than really classical. The execution trace (Fig. H] p. [30]) of the 
example of section [6] makes the comparison more dramatic, since it shows that intuitionistic 
operations are executed several hundreds of times while classical operations are executed a 
dozen of times (call/cc being invoked only once). 

These figures suggest that a good execution policy for classical proofs should concen- 
trate all the execution overhead induced by the presence of classical reasoning to the classical 
operations themselves (that are the less frequent ones) while keeping ordinary intuitionis- 
tic operations (the most frequent ones) as fast as possible. But this is precisely what the 
Ac-calculus does, especially when executed in the stack/heap model described above. On 
the other hand, using a negative translation — even optimized — adds a non negligible exe- 
cution overhead to all the intuitionistic operations of the proof, just to remove the need of 
introducing specific operators for classical reasoning. 

9.3. Classical extraction in Coq. The ideas presented in this paper have been imple- 
mented in a classical extraction module for Coq developed by the author [22]. On the 
theoretical side, this implementation is based on an extension of Krivine's classical realiz- 
ability model to the calculus of constructions with universes [21]. This module permits the 
extraction of a Ac-term from any classical proof formalized in Coq — provided classical logic 
is only allowed in the impredicative sort Prop. It also proposes witness extraction facilities 
based on the techniques presented in section [5l 
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This module automatically performs several optimizations in the extracted code. For 
instance, Coq unary numerals (as well as the corresponding arithmetic operators) are au- 
tomatically translated into the primitive numerals discussed in sectional Similar optimiza- 
tions are introduced to change the representation of other inductively defined data-types 
such as ordering. Moreover, the extractor proposes predefined optimized realizers for many 
theorems of Coq's standard library, following the spirit of what we did in section [6] with the 
minimum principle. In this way, the user can formalize classical proofs using the tools pro- 
vided by Coq's standard library while benefiting from many optimizations that are allowed 
by the theory of classical realizability. 

However, these hand-made optimized realizers are provided only for a little fragment 
of Coq's standard library, and there is currently no general mechanism to generate them on 
the fly. Future work includes the design of a general theory for realizer optimization in the 
framework of classical realizability, following the spirit of refined program extraction [3] . 
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